Jump to content
muttly

TCPSVCS.EXE -  Trojan.PasswordStealer

Recommended Posts

Having just installed Malwarebytes 3.6.1 and run a scan I get two significant alerts - which weren't appearing before.  I'm concerned of a possible false positive here. 

Files:

C:\windows\system32\tcpsvcs.exe

C:\windows\syswow64\tcpsvcs.exe

Alert:  Trojan.PasswordStealer

Both files are around 12KB in size and seem correctly signed.  Windows Defender does not pick them up as suspicious.

Share this post


Link to post
Share on other sites

I just got home from work and malwarebytes just flagged the same two files. I really hope it's a false positive because I'm panicking a little thinking about having to change all my passwords.

Share this post


Link to post
Share on other sites

Hi guys

 

Please could you post a Malwarebytes log showing the detection.

 

Thanks in advance.

Share this post


Link to post
Share on other sites
Just now, Fatdcuk said:

Hi guys

 

Please could you post a Malwarebytes log showing the detection.

 

Thanks in advance.

Where can i find such a log?

Share this post


Link to post
Share on other sites

I have received the same.

From the scan summary is:

File: 2
Trojan.PasswordStealer, C:\WINDOWS\SYSTEM32\TCPSVCS.EXE, No Action By User, [3569], [578625],1.0.7241
Trojan.PasswordStealer, C:\WINDOWS\SYSWOW64\TCPSVCS.EXE, No Action By User, [3569], [578625],1.0.7241

 

Share this post


Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/8/18
Scan Time: 7:18 PM
Log File: 138f6832-cadb-11e8-88db-4ccc6af967aa.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.7241
License: Premium

-System Information-
OS: Windows 10 (Build 17134.285)
CPU: x64
File System: NTFS
User: DESKTOP

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 323649
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 4 min, 22 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.PasswordStealer, C:\WINDOWS\SYSTEM32\TCPSVCS.EXE, Quarantined, [3569], [578625],1.0.7241
Trojan.PasswordStealer, C:\WINDOWS\SYSWOW64\TCPSVCS.EXE, Quarantined, [3569], [578625],1.0.7241

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

log.txt

Share this post


Link to post
Share on other sites
4 minutes ago, Fatdcuk said:

Hi guys

 

Please could you post a Malwarebytes log showing the detection.

 

Thanks in advance.

 

Log.txt

Share this post


Link to post
Share on other sites

Thanks for your help on this guys.

Troubleshooting the detection now.

Can someone either zip and attach the file that is being detected in a reply or alternatively upload it to the following website then paste a link to the report generated in a reply https://www.virustotal.com/#/home/upload

Thanks in advance.

 

Share this post


Link to post
Share on other sites
Just now, Fatdcuk said:

Thanks for your help on this guys.

Troubleshooting the detection now.

Can someone either zip and attach the file that is being detected in a reply or alternatively upload it to the following website then paste a link to the report generated in a reply https://www.virustotal.com/#/home/upload

Thanks in advance.

 

I can do that now.

Share this post


Link to post
Share on other sites

Thanks guys for reporting this and your help on fixing this.

Confirmed these are both false positive detections and we have now just pushed an update to fix them.

MBAM2 Version: v2018.10.08.03
MBAM3 Version: 1.0.7243

Please can you update to current database and confirm they are no longer detected.

Thanks in advance.

Share this post


Link to post
Share on other sites
7 minutes ago, Fatdcuk said:

Thanks guys for reporting this and your help on fixing this.

Confirmed these are both false positive detections and we have now just pushed an update to fix them.

MBAM2 Version: v2018.10.08.03
MBAM3 Version: 1.0.7243

Please can you update to current database and confirm they are no longer detected.

Thanks in advance.

Updates applied and new scan is clean.

Thanks

 

Share this post


Link to post
Share on other sites
39 minutes ago, Fatdcuk said:

Hi guys

 

Please could you post a Malwarebytes log showing the detection.

 

Thanks in advance.

Same 2 detections, this morning, 10/08/2108 .  Log attached.

MB.txt

Share this post


Link to post
Share on other sites

Really glad to have found this topic. I also had the same two detections and had quarantined and rebooted before looking online. After reading the contributions here and restoring the quarantined items I updated, scanned again and all is clear. Thanks to the people who first reported this (and added their files) and to Malwarebytes staff for fixing it so quickly.

Share this post


Link to post
Share on other sites

Just had the same problem. Can I take it that it is a false positive. Is there an easy check? If it is a false positive do I need to restore the files or can I leave them quarantined? I have attached the log txt 

tcpsvcs.txt

Share this post


Link to post
Share on other sites

Hi Impel

Confirmed it was false positive detections and they are safe to restore from your quarantine.

Share this post


Link to post
Share on other sites

I had this error this morning.  The files didn't automatically go to quarantine.  I put them in quarantine and than I deleted them.  Question.  Will I now have issues with my laptop ie do I need to do a system restore to before I did the delete?  I ran another scan after I did this and no issues came up.  I've since rebooted the pc and it acts fine for now. 

Share this post


Link to post
Share on other sites

Hello @pfab

In the future please do not delete files. That is what the quarantine is for, so that files can remain there safely. Then if something like a false positive does happen you're able to restore them.

For now you can run the following.

Click on Start and type in CMD.EXE and when it shows on the menu right click over it and select "Run as administrator" and then type in the following and press the Enter key. Any missing or corrupted core operating system files should get fixed.

SFC    /SCANNOW

Thank you

Ron

 

Share this post


Link to post
Share on other sites

8B3380241C9C4B6D6460217A678AB178 TCPSVCS.EXE MD5
F02449938E0E2197152ECB1AF8AA158AE50214DC TCPSVCS.EXE SHA1
081DC131643A56706574B620388332AAA4D368EE48A147C15B173FEC27B1E732 TCPSVCS.EXE SHA256

https://www.virustotal.com/en/file/081dc131643a56706574b620388332aaa4d368ee48a147c15b173fec27b1e732/analysis/1538990878/

or (two different crc's)

https://www.virustotal.com/en/file/63a56dcf9e9a717411d3b98519114987875171f9d3d76400f886751c0cd4d182/analysis/1538991149/

but then I found this...

https://www.hybrid-analysis.com/sample/081dc131643a56706574b620388332aaa4d368ee48a147c15b173fec27b1e732/5bbb29f97ca3e16a18749a63

Also it appears to make connection to:

TCP traffic to 67.135.105.137 on port 80 is sent without HTTP header
TCP traffic to 205.185.216.10 on port 80 is sent without HTTP header
TCP traffic to 173.222.40.209 on port 80 is sent without HTTP header

Was just about to FORMAT entire PC until I saw this thread...

Glad its just a false positive! Very scary stuff!

 

tcpsvcs-info.txt

Share this post


Link to post
Share on other sites

I ran scf /scannow, but it didn't fix the issue.  Would a system restore fix the problem for the files that I deleted.  

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.