Duplicate rogue services keep appearing

[WalthamMIS]

We have what seemed to be a trickbot version infection.  We found after clean scans that we still have rogue services with names simliar to windows services but adding group of random numbers and letters to the end.  have the PC's offline in safe mode(windows 10) we manually remove the services but just logging off and back in causes them to reappear with another random name. I've attached a screen shot example.  The only symptom is the user is OK  but if they browse the web the browser will crash and it does seem to matter what browser they use.  They mostly use SVCHOST and in the example they are named CaptureService, Connected devices and contact data.  They all have _8bbe397 currently but if removed they get added back with a new random ending.  To add to the difficulty on newer versions of windows like 1809 the services show services.  We found an older Windows 10 version doesn't show anything in services but they are all listed in the registry in hklm\system\currentcontrolset\services

 

[WalthamMIS]

Soooo I see some of these seem to be legit so back to not knowing what the issue is I guess.  Something is hiding somewhere.  😕    It happened that clearning some things out listed as unistacksvcgroup seemed to solve the issue for at least one

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

We need more information.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions
 

[nasdaq]

Are you still with us?

[WalthamMIS]

Sorry yes this turned out to be a non issue.  The duplicates we were chasing were legitmate entries.  The computers with the issue had sophos running as well which appeared to conflict. This occured even with malware web protection disabled, uinstalling one or the other resolved the issue.

[nasdaq]

Thank you for the feedback.

This topic will be closed.

 

[AdvancedSetup]

Since this issue is resolved the topic will now be closed to prevent others from posting here.

If you need assistance please start your own new topic and someone will be happy to assist you.

Thanks