Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVChost infection not flagged by any tools


  • This topic is locked This topic is locked
6 replies to this topic

#1 timwrich

timwrich

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MinneSconsin USA
  • Local time:10:38 PM

Posted 07 March 2014 - 11:38 AM

attached is the combofix file.  
 
 

I recently found that our corporate network bandwidth had skyrocketed overnight to upwards of 100 meg on the WAN connection. I tracked it down to one computer, which had four svchost.exe processes pegging each core, and network was around 3-6% of the gigabit connection nonstop. unplugging this from our network caused the cpu to go to 1% and networking to go to 0% on the computer, and normal range on the network.

 

the svchost file had probably 50 tcp connections to random ip addresses around the world, many in eastern europe and russia being most common.

 

i tried the folllowing tools, none of which flagged the svchost.exe file (which ended up being located in the windows\sysWOW64 folder, not system32 per normal)

 

tdsskiller

rkill

dds

combofix

malwarebytes

 

i also used svchost viewer and process explorer (they didnt show up in svchost viewer)

 

i have saved a copy of the svchost file that caused this headache, and if you guys would like, i can attach it... i dont know if attaching the file would be a good idea so i will wait until further instructions.

 

While running a packet capture, i have concluded (the packets are confusing and possibly encrypted) but i think the goal of this infection was clicking ads for money?

 

My goal with this post is to possibly help in the development of tools to flag this infection.

 
i have a copy of the svchost file if anyone is interested... it was located in \windows\sysWOW64  not system32 per normal svchost files.

Attached Files


Edited by timwrich, 07 March 2014 - 12:20 PM.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:38 AM

Posted 07 March 2014 - 11:48 AM

Greetings and  :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know. I am in training and an instructor will need to check my fixes so a little delay may happen at times.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now   :thumbup2:

 

--------------

 

Hi timwrich,

 

I will be handling your log to help you get cleaned up. Please give me some time to look it over, and I will get back to you as soon as possible. 

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:38 AM

Posted 08 March 2014 - 06:21 AM

Hi timwrich,

 

Looking through your logs, it seems that computer is still infected and one of your system files, rpcss.dll, has been patched. This is what is causing svchost to act weirdly and take up lots of bandwidth, not the actual svchost file (hence why none of the programs ran would detect it, since it is not actually infected). The one you removed from sysWOW64 is legitimate; the sysWOW64 folder is part of a 64 bit OS and is used to run 32-bit applications to take care of the differences between the two different bit types. Whenever a 32-bit application tries to access System32, it is redirected to sysWOW64 instead on a 64-bit version of windows as all 64-bit applications are kept in system32, and the 32-bit applications are stored in sysWOW64. Svchost.exe should be replaced in that location.

 

I can help you clean your computer and replace that file, something which should not be done manually due to the infection. I would like to ask whether you have permission to do this first. Since you are a business and generally when a computer is infected, you should notify your IT department for them to deal with your computer.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 timwrich

timwrich
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MinneSconsin USA
  • Local time:10:38 PM

Posted 10 March 2014 - 09:24 PM

I appreciate the timely response. i have replaced the rpcss.dll file with a known good version, reinstated svchost to syswow64 and redeployed the system. all signs show it is free of infection.



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:38 AM

Posted 13 March 2014 - 10:21 AM

Hi timwrich,

 

I would like to get another log to see if anything else needs to be checked out, if you don't mind obliging me.

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

 

--------------

 

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:38 AM

Posted 17 March 2014 - 01:22 PM

Hi timwrich,

 

This is a 3 day bump:

 

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:38 AM

Posted 21 March 2014 - 11:30 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users