Jump to content

Infected svchost and dlls

xxyyxx

By xxyyxx
in Resolved Malware Removal Logs

 Share

Recommended Posts

xxyyxx

xxyyxx

Posted
Posted (edited)

I've been struggling with malware that keeps coming back to my Windows install.

This Windows install is not clean because I haven't had the need to use it since I use Debian as my main OS

This is the second time I do a Windows restore since everytime I try to clean dlls the system breaks down

I've used malwarebytes, spybot search and destroy and I get a clean analysis so I tried to use boot up recovery disks, sfc /scannow and lastly "Unhack me" where I could see the suspicious files but

manually since the programs above trust all "Trusted installer " signed files and processes, after that I used SVChostanalyzer and Security Task Manager and realized suspicious instructions inside of

wininit.exe, services.exe, lsass.exe ,one of them being a on purpose BSOD when you kill a certain process so that the rootkit can backup itself, another being a programmed memory.dmp creation instruction  and as usually many instances of svchost.exe are not a good sign.

 

I uploaded two of these files to Hybrid-Analysis (online sandbox analyzer) ;

svchost.exe  

Which showed header timestamps into the future (2050) and forged Microsoft signatures

 

Inside of lsass.exe  I found TCP connections an Ip which seems to be part of Akamai-Technologies

 

I already know that the best option is to make a clean and secure install in this partition but I wanted to know  if this is could possibly be work of an enteprise stealing data or just maybe someone who is playing with tools and tunneling this to that Ip, I would gladly receive any counsel, comment or help for this issue if there was any to kill this malware without the cleanup. Thanks

svchost.txt

lsass.txt

Edited by xxyyxx
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @xxyyxx and :welcome:

Not sure what you mean by "without the cleanup". If malware is detected it needs to be removed in order to fix it.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Click on START and type in CMD.EXE and when it shows on the menu, right click and choose "Run as administrator"

Then type the following and press the Enter key. When it's done please take a screen shot of what it says or write down exactly what it says and post that back please.

SFC    /SCANNOW 

Note: Do not close this Command Prompt window until the verification is 100% complete. The scan results will be shown after this process is finished.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

So far not finding any issues and if SFC /SCANNOW is not finding bad DLL files that makes it less likely too, but we'll scan with a Kaspersky antivirus scanner too to double check.

 

Please download and run the following Kaspersky antivirus tool to remove any found threats

Kaspersky Virus Removal Tool

Post back what if anything it finds.

Thanks

Ron

 

Link to post
Share on other sites
  • 1 month later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.