Jump to content

Servise.exe keeps coming back


Recommended Posts

Hi,

In the last 2 weeks I noticed a program running called "servise.exe", and the wrong spelling caught my eye. I scanned my computer with Malwarebytes, and it done a great work. It deleted 1-2 backdoors, 6 kind of trojan downloaders, and then my computer was good for like 1-2 hours. After a little time, I noticed "servise.exe" again in the task manager. It has beel 2-3 weeks now, and every hour I need to kill the process/delete it with MW, because it is coming back. I'm really worried, because it is a trojan downloader, and it's for getting more virus on my computer.

First picture: No description, no details about the version, etc.
Second picture: Size, date of creation (it says 2016 august 29, which is really strange, because I reinstalled my computer in 2017 february :/ )
I attached Addition.txt and FRST.txt.

ps: the language of pictures is in hungarian, sorry for that

bandicam 2017-06-25 11-29-35-734.jpg

bandicam 2017-06-25 11-29-02-293.jpg

Addition.txt

FRST.txt

Edited by gbr1337
Link to post
Share on other sites

Hi gbr1337 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Do you still have the Malwarebytes scan log where the detections occured? If so, please attach it here so I can review it.

Link to post
Share on other sites

I deleted all of them, but now I'll scan my computer again.
By the way, the virus is in a folder that doesn't exist. Does it spoof the location or something?
I attached the log to the reply. (I scanned my computer while I was writing this, and he caught the folder that was hidden.)

rs: the log is in hungarian, sorry for that 

 

TheScanThatReallyCaughtTheVirus.txt

Edited by gbr1337
Link to post
Share on other sites

The folder exists, though it is an hidden system folder, so unless you configured your Folder Options to display such folders, you won't see it.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

fixlist.txt

Link to post
Share on other sites

Alright, let's try something else then. Follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.

  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
    servise
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;

Link to post
Share on other sites

Alright, run the FRST fix below and right after, follow the instruction below to launch ProcMon.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

Download Process Monitor from the Sysinternal Suite, and extract the ProcessMonitor.zip archive.

https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx 

Once done, launch Procmon.exe with Admin Rights and wait for the program to start capturing (you'll see entries appears very fast). Now, let ProcMon run until the servise.exe process comeback, and let it run for another 5 minutes. Once done, click on the little magnifying lense button to stop the capture.

a3x3Juy.png

After that, click on "File", "Save..." and save the logfile (by default it'll be saved in the ProcessMonitor folder). Compress it (.zip), and attach it in your next post.

Link to post
Share on other sites

I cant attach the logs because of the size limit, so I uploaded it to mediafire. I had a little popup everytime I tried to run Process Monitor. It was called "WinLicense | There is a program monitoring software. Unload it from the memory and restart it." I attached photos of "modules" of the virus.

ps: I didnt saw servise.exe in the log, only taskmgr.exe processes that is in connection with the virus.

https://www.mediafire.com/?u2h5dmvjz23p5dd

bandicam 2017-06-27 18-05-25-123.jpg

bandicam 2017-06-27 18-05-31-306.jpg

Link to post
Share on other sites

Quote

I had a little popup everytime I tried to run Process Monitor. It was called "WinLicense | There is a program monitoring software. Unload it from the memory and restart it."

Are you able to reproduce that pop-up, take a screenshot of it and attach it here?

Also, do you have the fixlog.txt from the FRST fix? If so, please attach it here as well.

Link to post
Share on other sites

Apparently WinLicense is associated with one of your game, probably to prevent you from tampering with it. I can't tell which one it comes from though. Leave that pop-up open, open your Task Manager, then right-click on the window name (most likely WinLicense), and select Go to details. What's the process associated with it, and where is the file located?

As for servise.exe, I can see the file being created through taskmgr.exe (CreateFile operation), but I cannot say how or why. Was the Task Manager open when you ran ProcMon?

 

Link to post
Share on other sites

The "WinLicense" pop-up's name is "windir", and it kills itself when I open Task Manager. I managed to see its details by Process Manager, i'll attach photos.
Actually, this windir thingy is associated with servise.exe, and he doesnt even cared about the fact that I can see his e-mail.
(It's a bitcoin miner connected to minergate.com)

I think Task Manager wasn't running, when I captured with ProcMon.
Should I send him a message on his e-mail?

 

bandicam 2017-06-27 19-31-14-465.jpg

bandicam 2017-06-27 19-45-13-926.jpg

Edited by gbr1337
Link to post
Share on other sites

Looks to me like your system has been compromised to the core. I doubt sending him an email will do anything.

Run a new scan with FRST and provide me a fresh set of logs. Meanwhile I'll check the ProcMon trace you sent me for traces of windir.exe.

Link to post
Share on other sites

That taskmgr.exe looked suspect to me. It's not the legit one. Alright, follow the instructions below.

EndqYRa.pngSystem File Checker (SFC)
Follow the instructions below to run a SFC scan on your system and to provide the CBS log in your next reply;

  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Spcusrh.pngRun as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1 and Windows 10, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    sfc /scannow

    Note: There's a space between "sfc" and "/scannow";
  • Once the scan is complete, enter the command below and press on Enter
    copy %windir%\logs\cbs\cbs.log "%userprofile%\Desktop\cbs.txt"
  • A file called cbs.txt will have appeared on your Desktop. Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;


Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the SFC scan is completed, it won't have the information from the scan anymore. So archive it and upload it as soon as you can.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.