Jump to content

False positive?


netmars
 Share

Recommended Posts

Hello,
malwarebytes anti-malware detected trojan.agent.gen in C:\users\username\appdata\roaming\smsvchost.exe.
But Virus Total seems ok (only 1/54 reported trojan).

https://www.virustotal.com/cs/file/96b3f5dc84ed4031677ec126bf1fda205197c0af62c25b9ace20eee30b2164f0/analysis/1415085984/
So is it false positive and its ok?

I attached file itself and test logs.

Thanks!

SMSvcHost.rar

Addition.txt

aswMBR.txt

FRST.txt

malwarebites.txt

Link to post
Share on other sites

  • Staff

Hello again,

Not quite so sure this is a false positive yet.

That exe name is typically found buried in one of the .NET\Framework directories... not showing as a hidden/system file in roaming.

Typically it is very unusual for executables to be right in the root of roaming directory.

Do you know what put them there? Something you installed?

There are a couple other files sitting in the same folder I would like to have a look at if possible. (also have hidden/system attributes)

Can you zip these files & attach as well?

C:\Users\Netmars\AppData\Roaming\nssm.exe

C:\Users\Netmars\AppData\Roaming\Runservice.exe

What is in here?

C:\Users\Netmars\AppData\Roaming\kernel

And ... here?

C:\Windows\66588

Link to post
Share on other sites

  • Staff

Thanks for the files.

Let me look through the stuff you attached & I'll get back.

Any chance you are running bitcoin miner(s)?

Notice stuff slower than usual? CPU spiked to the moon?

I am surprised your Avast has not tried to tag & bag "runservice.exe" as a "Potentially unwanted program":

https://www.virustotal.com/en/file/413f032c71a4ab84890c501ff0e09277b65a05ff49e0e09f791c6a584d489926/analysis/1415302619/

The dlls look to be OK - they are likely supporting dlls for the exes in there & not malicious in themselves.

nssm.exe appears to be a program that makes it easier to install/remove services.

nircmd - command line tool that can carry out many tasks. legit but can be used for non legit purposes too.

Link to post
Share on other sites

Yes, nothing suspicious reported from Avast at all, even when i directly scan those files...

 

And no, i never used any bitcoin miner apps or anything like it.

 

And i did not notice any bad behaviour, but problem is, i have pretty powerful computer which is quite new (Core i7-4790K, 16 GB RAM and GTX 970). So i cant be so sure about computer not having any slowdowns, i just didnt notice anything for now.

Link to post
Share on other sites

  • Staff

Here is the initial exe you uploaded unpacked (the packed one only had us detecting it).

Once unpacked though - different story:

https://www.virustotal.com/en/file/074fe33ccfd26e0c874eef0bf54675df0f51e5854a3075214cf92b9ecd024c8c/analysis/1415304550/

Looks like something you installed recently installed the bitcoin miner - so your machine is now mining bitcoins for someone else! Nice eh? :(

If you didn't have a high end box -- you likely would have noted quite a performance hit.

Probably wouldn't hurt to head over to the malware removal forum section & let the helpers work with you to remove anything else lurking behind.

Post a link to this tread for them too so they know what is going on.

SMSvcHost.exe & RunService.exe can be nuked from the roaming directory for now. This'll nuke the miner & the guys over at malware removal can help clean up anything else left over.

Please see:

https://forums.malwarebytes.org/index.php?/topic/119858-available-assistance-for-possibly-infected-computers/

Link to post
Share on other sites

The fact is was running in %appdata%\roaming  and was marked with the Hidden attribute were definitely signs of being malicious.  That and using LibCurl was a definite sign of BitCoin mining.  My question is..  is it somehow using Tor and an .Onion site on the Black (Dark) Web ?

Link to post
Share on other sites

  • Staff

Hi again Netmars,

You can also disable that fake "java updater" task. It is launching nircmd.exe which in turn is likely up to no good given the fact it is hidden & in an oddball directory.

Easiest way is likely to use autoruns from sysinternals.

http://live.sysinternals.com/autoruns.exe

Save above file> right click it> run as admin.

Once all the info is loaded go to the scheduled tasks tab.

Hilight the Java Updater one (the path to nircmd will show at the bottom of the autoruns window if you hilighted the right one)

Uncheck it. This just disables it in case your helper wants the file or anything.

Exit autoruns.

Best to reboot so the task is no longer running if it is at the time of scan.

Careful with autoruns. Most of what you see in the output scan results is normal.

David:

I can't see any definite URLs or anything indicating where this miner is chattering to/through.

Link to post
Share on other sites

  • Staff

backtrack for me:

https://forums.malwarebytes.org/index.php?/topic/160222-smsvchostexe/

It may be some time before any of the helpers get to you in your other thread. They are pretty busy & everyone is a volunteer.

We stopped it from running so now it is just a matter of looking for any leftover bits & pieces not immediately visible in the logs. (if anything)

Link to post
Share on other sites

Hi.

 

I have taken care about your log in the malware removal section. From now on stick only with that thread, if we will start making multiple actions it could confuse both you & me. I will go through the logs, see what I can find and if anything else will be needed - you can return here.

 

Cheers,

Naat :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.