Jump to content
laurent-st

svchost.exe analyzed with Process Explorer gives Session tag 2

Recommended Posts

Hello,

I recently suspected that my computer may be infected with a virus. I have analyzed the processes running on it with Process Explorer,
in particular the svchost.exe process which seems to be used a lot to load infected .dlls. According to my research, in Process Explorer
in the Session column, the value associated with a svchost.exe process must always be 0. However, I found 4 svchost.exe
processes whose Session value is 1 or 2, cf. . screenshot:
[img] https://imgur.com/a/JROlLWn [/ img]
These processes are linked to Windows services which seems normal in appearance, except that at the end of the process name there
a _ with a number that changes between reboots of my computer, here _e84b4e, see screenshot below:
[img] https://imgur.com/a/dSKrLQZ [/ img]
This service name which changes each time gives the impression that it is an infected service which is trying to hide itself but I am not sure.
However, Virus Total's analysis of the process does not give detection, and by giving the .dlls linked to the Windows services in question to
Virus Total it does not give any detection neither.
I also launched MalwareBytes and AdwCleaner which did not detect anything abnormal.

-> Should I be worried or is all this normal? Thank you in advance for your reply!

screenshot.PNG

screenshot2.PNG

Share this post


Link to post
Share on other sites

Hi,      :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.    The main goal in this sub-forum is to help check for actual malware & remove it if it is truly found.

I understand that you have scanned with  MalwareBytes and AdwCleaner  & they reported no malware.

.

Let us begin by doing these steps, please.  If you have questions as we go along, stop and ask me first.

[  1   ]

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

 

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please post the log

 

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

But whatever happens, be sure you go ahead and do the following steps  for sure.   Thanks.

 

[   2    ]

You did not mention the version of Windows on this system.  I am presuming this is running Windows 10.

This will run a Full scan with Microsoft Windows Defender.  Please know that this run may take an hour or more to complete.   Please have patience.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2

tap Enter-key to have it proceed.   Then just let it run, however long it takes.

Make a note of the final display results.

 

[   3   ]

Let’s  please try to get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

 

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK


Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries


Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures


Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.


Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

 

 

 

Share this post


Link to post
Share on other sites
Posted (edited)

This is my second reply.  Please be sure that you do not overlook my earlier Reply.   This is some additional information

The Session column within Process Explorer identifies the terminal services session in which the process is running.
A session value of 1 or higher just means it is running within a user session.

You will also note that the service ( process)  you highlighted IS running under your own user-name   ( e.g.  User session).  Hence not a surprise that session has a non-zero (non-blank display )  value.

That same service  ( process)   also runs on my Windows under User session as well.


And as to the _e84b42 "suffix" on the service that is a normal thing.  The _e84b42 is an identifier.
That same service on my machine also had an identifier, by the way.

I am not of the view that your system has an infection  ( that is, by the virtue of the identifier element or of the Session ).

Attached is copy of my inquiry on my machine of the same service.  The formal name of the service is Connected Devices Platform User Service.  Thus the CDPUserSvc.

This service is associated with Bluetooth, or Printers & Scanners as well as music players, storage devices, mobile phones, cameras, and many other types of connected devices.


This is not a malware.
I have used Process Explorer on my Windows 10 & did a Check VirusTotal for the same process you wrote about.  None of the scanners at VT have flagged it.  That is zero of 71 scan engines at VT.
I believe that you did the same to VirusTotal on your machine and it also did not report it as a malware.

Proc_exp_snippet.thumb.png.73a89c4dda801aceaaa943ab310b9b50.png

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

Hi Maurice,

Thank you for your reply!  Here are the outputs of the various steps:

[1]: See Rkill.txt

[2]: Indeed I'm on Windows 10 64-bit. There is an error when I try to run your command (even in admin mode), cf. "error_windows_defender.PNG" screenshot, so I went manually through Windows Defender and run the Full Scan. The output of the scan is in the screenshot "windows_defender_full_scan_results.PNG": it is in French but i says:

"No current threat. Last analysis: 25-03-2020 11:06. 0 threats found. The analysis laster 7 minutes 30 seconds. 737696 files analyzed."

[3]: See autorun_analysis.zip

 

Regarding your second reply:

Ok then, I think that I probably overreacted. I had the feeling that there was a problem when Avast made an update quickly after I made a download on the Internet and I was not able to open Avast without rebooting my computer so I decided to make a full check of my computer and then I encountered those strange processes. I made also an analysis with FRST (Farbar Recovery Scan Tool) whose output contained a strange part mentioning errors with Windows Defender and the fact that a process "...svchost.exe attempted to load a \Device\HarddiskVolume4\Program Files\AVAST Software\Avast\aswAMSI.dll file  that did not meet the Windows signing level requirements", I attach this part as "FRST_partial_output.txt" if you want to have a look.

--> So I am a bit too suspicious but I prefer to be sure that everything is OK... Thanks for your help!

error_windows_defender.PNG

windows_defender_full_scan_results.PNG

Rkill.txt autorun_analysis.zip FRST_partial_output.txt

Share this post


Link to post
Share on other sites
Posted (edited)

Bon apres midi / Bonsoir.

The Rkill report is normal.

You used Powershell.   The commands I suggested are not appropriate for Powershell.   There are specific ( different ) command formats for Powershell.  ( more detail below).

My apologies,  I made the assumption that your system used the (default) CMD command-line interpreter.  I also assumed Windows 10 as the O.S.

.

There is a issue on this system as far as Windows Update for Windows Defender.  That can be corrected by doing some housekeeping.

That is the "Error code: 0x8007043c"

I will have to provide you the way to do it in a Elevated CMD interpreter  ( sorry I do not have the Powersehell equivalent commands at this point).

You will need to consider that your Windows language is French.  So some of this you will need to handle.  Like the description of the CMD

First we need to be in the standard Command and in Elevated rights mode  ( for Administrator )

In the Windows 10 search box,  type in

cmd.exe

and look close on the result choices on the right side pane.  When you see "Command prompt"  look down the list and select & click on

"Run as Administrator"

Then just be sure that the Command prompt is open   ( it should mention 'Administrator'  on its title bar).

The following is a list of commands to be put into the Command-prompt-window.  One at a time.  And tap Enter-key after each one.  It is best to COPY from here and then PASTE into your Command-window.

net stop bits

 

net stop wuauserv

 

del /s /q %windir%\SoftwareDistribution\Download\*.*

 

net start bits

 

net start wuauserv

 

exit

After all this is completed,  You may do a Microsoft Windows Update run.  Windows Settings >> Update & Security >> Check for updates.

.

As to the Powershell command lines to run the Windows Defender scan, here they are:

Update-MpSignature

That will start the procedure to get definitions update for Windows Defender.  Have lots of patience.  This took time on my machine.  After a bit of time, you should see a bit of a display of a set of moving characters to indicate progress.  On mine, they looked like the character o

 

You may select a range of different scans  ( one of several that is).  A regular quick scan, a Full scan, a custom scan, or an Offline scan.

Start-MpScan -ScanType QuickScan

That is for a quick scan.

.

Start-MpScan -ScanType fullscan

That is for FULL scan.

.

start-mpscan -scantype customscan

That is for a custom scan.

.

start-mpwdoscan

This invokes a OFFLINE mode scan with Windows Defender.  It can be very useful on stubborn situations.  Offline scan does the scan in a special mode, that is while regular Windows is suspended during the run.  It uses a very special procedure and when done puts the system back in regular Windows.

.

Finally, this is how to gets the history of threats detected.

get-mpthreat

Gets the history of threats detected on the computer.

Note that those are very computer nerd like summaries.  They will not show event dates.  But they should show filename & location & the Microsoft classification.

.

get-mpthreatdetection

Gets active and past malware threats that Windows Defender detected.

This will also show the event dates, as well as filename & location & the Microsoft classification.

.

Other notes:   I am very very glad to read your report that the Windows Defender scan found no malware !

Quote

"No current threat. Last analysis: 25-03-2020 11:06. 0 threats found. The analysis laster 7 minutes 30 seconds. 737696 files analyzed."

I believe that would have been a Quick scan.   If you wish you may do a Full scan or a Offline scan.

.

Further note:  Thanks for the Autoruns report.  That looks normal.

I do hope all this helps.

Sincerely,

Maurice

 

 

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

Bonjour.   How are you doing ?  How are things ?

Share this post


Link to post
Share on other sites

Hello Maurice,

Sorry for the delay of my answer!

So if I understand correctly everything from Rkill, Windows Defender and Autoruns is normal, so nothing to worry about? Concerning the Windows Defender scan it was a Full scan not a Quick scan, but it went fast since I don't have many files on my computer it is quite recent.

Concerning the Windows Defender update I didn't really understand, can't I directly update windows defender from the parameters menu?

Thanks again for your help!

 

 

Share this post


Link to post
Share on other sites

Good morning.

Yes, your machine is normal.   There is no need for 'worry'.  You can do a new run with Malwarebytes for Windows as a new check.

Plus, you can always do a scan with Windows Defender.

I am not quite sure what you call "parameters menu".

You can do a manual Check for Update for Windows Defender by using the Windows Settings menu.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

image.png.53b8290f51fb52ad1f67f2be5d1a7198.png

 

Next, In Windows Security section:  Click on the grey button Open Windows Security

image.thumb.png.770ff10e37da546f33963da571bd3378.png

.

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status  and that  protection is on.

 

image.thumb.png.d3c40d161bda6630f463e83ce53f9782.png

 On the next display,  look at all the options.   Look down the list and see "Check for Updates" which I have highlighted with a blue icon.

You can click on that to have the system check for updates for Windows Defender.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.  ( You can do Quick, Full, or Custom).

 

image.thumb.png.1bfbd5b3023eeabe0dbea2025a5fa556.png

 

Note:  In my preceding replies, I provided methods to run Windows Defender from a Command window.  I thought perhaps it would be more direct way to do things.

You should be able to use the Settings menu and the graphical menu  to get to what you need to do.

If you have other questions about Windows Defender, let me know.   Microsoft Windows Defender is a very good antivirus.

.

As I noted before, I do not believe that there is an actual infection on this machine.

Allow me to suggest 2 new scans to check your system again.

[ 1  ]

Please do a new Scan on this machine, using Malwarebytes for Windows.

To run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button.

Have patience during the run.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

[    2   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.


Sincerely,

Maurice

 

Share this post


Link to post
Share on other sites

Hey Maurice,

Ok thanks that is a relief!

I checked the updates for Windows Defender as you explained, everything looks in order now.

[1] Malwarebytes didn't find anything suspicious, I attach the report.

[2] Microsoft Safety Scanner didn't find anything neither! I attach the log as well.

--> Well I think that everything is OK then, I was maybe too suspicious but at least it is good that I made a full check of my PC! Thanks a lot for everything Maurice!

Best regards

Malwarebytes_report.txt msert.log

Share this post


Link to post
Share on other sites

Hello.   I am happy to hear back from you.  Thanks you for these reports.  Those are very very good results.

I am very glad to have helped you and worked with you.      😉

You may delete the RKILL file download that you made some days ago   ( at the start of this case).

You should delete the Microsoft Safety scanner download file

You may also cleanup after the FRST64 tool that you downloaded.  

To remove the FRST64 tool & its work files, do this. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.

Then run that ( double click on it)  to begin the cleanup process.

.

The first best practice of computer safety is to have backups of the system.  Make regular periodic backups to offline removable media.

Backup is your best friend.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

 

All my best wishes to you.   I am marking this case for closure.

Très cordialement.   

Maurice

😎

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.