Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVChost infection not flagged by any tools


  • This topic is locked This topic is locked
2 replies to this topic

#1 timwrich

timwrich

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MinneSconsin USA
  • Local time:03:30 PM

Posted 07 March 2014 - 11:23 AM

I recently found that our corporate network bandwidth had skyrocketed overnight to upwards of 100 meg on the WAN connection. I tracked it down to one computer, which had four svchost.exe processes pegging each core, and network was around 3-6% of the gigabit connection nonstop. unplugging this from our network caused the cpu to go to 1% and networking to go to 0% on the computer, and normal range on the network.

 

the svchost file had probably 50 tcp connections to random ip addresses around the world, many in eastern europe and russia being most common.

 

i tried the folllowing tools, none of which flagged the svchost.exe file (which ended up being located in the windows\sysWOW64 folder, not system32 per normal)

 

tdsskiller

rkill

dds

combofix

malwarebytes

 

i also used svchost viewer and process explorer (they didnt show up in svchost viewer)

 

i have saved a copy of the svchost file that caused this headache, and if you guys would like, i can attach it... i dont know if attaching the file would be a good idea so i will wait until further instructions.

 

While running a packet capture, i have concluded (the packets are confusing and possibly encrypted) but i think the goal of this infection was clicking ads for money?

 

My goal with this post is to possibly help in the development of tools to flag this infection.

 

 

edit: how do i delte thread as this is in the wrong forum.. bad first post!! sorry guys!


Edited by timwrich, 07 March 2014 - 11:32 AM.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:30 PM

Posted 07 March 2014 - 11:31 AM

Hi,

 

Since you have run Combofix, please follow these instructions:

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created (make sure to include the combofix log created, probably located at C:\ComboFix.txt), then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,404 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:30 PM

Posted 07 March 2014 - 11:36 AM

Repost in AII, http://www.bleepingcomputer.com/forums/t/526793/svchost-infection-not-flagged-by-any-tools/#entry3308332 .

 

To avoid confusion, this topic is closed.

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users