Jump to content

Duplicate rogue services keep appearing


Recommended Posts

We have what seemed to be a trickbot version infection.  We found after clean scans that we still have rogue services with names simliar to windows services but adding group of random numbers and letters to the end.  have the PC's offline in safe mode(windows 10) we manually remove the services but just logging off and back in causes them to reappear with another random name. I've attached a screen shot example.  The only symptom is the user is OK  but if they browse the web the browser will crash and it does seem to matter what browser they use.  They mostly use SVCHOST and in the example they are named CaptureService, Connected devices and contact data.  They all have _8bbe397 currently but if removed they get added back with a new random ending.  To add to the difficulty on newer versions of windows like 1809 the services show services.  We found an older Windows 10 version doesn't show anything in services but they are all listed in the registry in hklm\system\currentcontrolset\services

 

badservices.jpg

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

We need more information.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions
 

Link to post
Share on other sites

Sorry yes this turned out to be a non issue.  The duplicates we were chasing were legitmate entries.  The computers with the issue had sophos running as well which appeared to conflict. This occured even with malware web protection disabled, uinstalling one or the other resolved the issue.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.