Jump to content
Szymon092

services.exe' was blocked from generating dynamic code.

Recommended Posts

Hi all, 

I have a virtual machine which doesn't have a lot of activity except a schedules software that processes scanned files from printers. Recently it's graylog activity is going through the roof with an error that I can't work out and i'm hoping someone here could be kind enough to help me figure out if this is malware related. Last thing I want is it spreading to the rest of my infrastructure or damaging the OS. 

Full Message:

Process '\Device\HarddiskVolume2\Windows\System32\services.exe' (PID 692) was blocked from generating dynamic code.

Microsoft-Windows-Security-Mitigations/KernelMode

I have attached a DDS attach.txt and DDS.txt

attach.txt dds.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download Malwarebytes Anti-Malware from here
 

  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.


Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.

IMPORTANT

  • If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).


===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions
====

Share this post


Link to post
Share on other sites

Hi Nasdaq, 

Thank you for replying to me so quickly, I've run all the things you wanted me to run and attached the logs for each.

*Note* There are two logs for Malwarebytes - MalwareReport100919 is from yesterdays scan that I did which found something - this was without the "Find rootkits" enabled. Todays scan has the rootkits options enabled as you said. 

Thank you, 

Addition.txt AdwCleaner[C00].txt FRST.txt MalwareReport100819.txt MalwareReport110819.txt

Share this post


Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know if the problem is solved.

fixlist.txt

Share this post


Link to post
Share on other sites

Hi, 

I've run the FRST with fixlist.txt and it produced the Fixlog.txt attached. Machine also restarted, after the reboot I can still see related messages in event viewer and Graylog. 

Thank you, 

Fixlog.txt

Share this post


Link to post
Share on other sites

HI,

Can you attach the event viewer log.

I do not see any such error in the Addition.txt log.

What problem is this possibly creating?

Share this post


Link to post
Share on other sites

Hi Nasdaq, 

 

Logs attached, there is no visible problem that is being created although its just flooding the logs with this error, I searched it online and alot of articles came back saying it can be malware which is why I reached out for help on this forum. 

Thank you,

Event Viewer Logs.txt

Share this post


Link to post
Share on other sites

Hi,

This is the error reported by the Addition.txt log on HarddiskVolume2

Description: 


Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll that did not meet the Microsoft signing level requirements.

Date: 2019-10-08 13:16:15.395
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll that did not meet the Microsoft signing level requirements.

There are two think I can suggest.

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.
<<<>>>

Or update the Microsoft.net
This article may help.

https://www.catalog.update.microsoft.com/Search.aspx?q=Microsoft .NET Framework 4

Share this post


Link to post
Share on other sites

Hi Nasdaq, 

I tried the above, and sfc /scannow came back clean, I also tried updating microsoft.net and the issue is still there. 

Thank you,

sfcdetails.txt

Share this post


Link to post
Share on other sites

Hi Nasdaq, 

Thank you very much for looking into the issue, at least I'm happy you don't think its malware which puts me in a better position overall. 

I'll create a case there and see if anyone can help me. 

Thank you, 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.