Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sfc /scannow found corrupt files and dllhost.exe


  • This topic is locked This topic is locked
24 replies to this topic

#1 Datura007

Datura007

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 07 August 2016 - 11:41 AM

In the past months I have been experiencing some paranoia with regards to trojans and rootkits and possibly targeted attacks. Infections with which someone would be able to see my screen would be pretty devastating in my line of work. 

I would like your help to get rid of this paranoia for once and for all by having a complete and thorough system check up and hopefully also receive some tips to secure my system even further. 

 

What I have done so far: 

 

- Changed the local security policy for UAC to prompt for credentials for the Administrator (I am not sure if this is just as safe as not working as an Administration)

- Encrypted C: with Bitlocker

- Norton Security (I got this because of the SONAR function that seems to protect against 0day exploits)

- Malwarebytes Anti Exploit

- Cryptoprevent on Maximum

- Use a VM for everything not work related

- Changed my WIFI password (what is safer WIFI or Ethernet?)

- Use a VPN

- Disabled file and printer sharing

 

 

Today, after running a sfc /scannow command Windows Resource Protection found corrupted files and repaired them, I have saved the CBS.log if it is relevant for you. I also have dllhost.exe showing up with multiple instances in Process Explorer and when I google the process IDs I find all sorts of scary threads on fileless trojans that nest in the registry. I also like to keep my eye on TCPview and two days ago I found two unknown IP addresses connected to me that no processes associated with them.

 

 

I would like to do any and every check/scan you can think of to make sure my system is not compromised and get some peace of mind.

 

 

Here are the FRST reports both as attachments because FRST.txt was too long. 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Datura007

Datura007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 08 August 2016 - 12:42 AM

Today after I started my computer I noticed a new entry in my start menu: Remote Desktop Connection  :nono:
I have no idea how that got there. Im trying to find something in Event Viewer to see how it got there but I am not really sure what I am doing. 
 
 
7e9m3qw.png


#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:26 PM

Posted 08 August 2016 - 06:06 PM

Hi,

 

I've been looking at your logs and will be helping you. Please be patient as I am still in training and need to confer with my mentors before posting.

 

I will respond as soon as possible.

 

TsVk!



#4 Datura007

Datura007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 08 August 2016 - 08:31 PM

Hi TsVk!,

 

Thanks for your time. I am waiting for your instructions :)



#5 Datura007

Datura007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 08 August 2016 - 10:47 PM

I just found some files in my %TEMP% folder. I opened them with notepad, most of it is gibberish (I assume its encrypted or something) but these parts are readable: 

 

 

 

adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmp:CreateDate="2015-12-02T18:39:36+05:30" xmp:MetadataDate="2015-12-02T18:39:36+05:30" xmp:ModifyDate="2015-12-02T18:39:36+05:30" xmpMM:InstanceID="xmp.iid:CE906F8FF398E51187D1A9A07CFD4D3A" xmpMM:DocumentID="xmp.did:CD906F8FF398E51187D1A9A07CFD4D3A" xmpMM:OriginalDocumentID="xmp.did:CD906F8FF398E51187D1A9A07CFD4D3A" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" photoshop:History="2015-12-02T18:38:43+05:30&#x9;File Untitled-1 opened&#xA;2015-12-02T18:39:36+05:30&#x9;File E:\Ideas\Poker-PricePoot\Final Files\Assets\Table\HandHistory_bg.jpg saved&#xA;" dc:format="image/jpeg"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:CD906F8FF398E51187D1A9A07CFD4D3A" stEvt:when="2015-12-02T18:39:36+05:30" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:CE906F8FF398E51187D1A9A07CFD4D3A" stEvt:when="2015-12-02T18:39:36+05:30" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> <photoshop:DocumentAncestors> <rdf:Bag> <rdf:li>571F6BB37C63BD247E91B9D8C2B65F4E</rdf:li> <rdf:li>7B41EF067239D490DB20EB737B207418</rdf:li> <rdf:li>AED4549D621F51D51912FB0840449A26</rdf:li> <rdf:li>E5F4E1E143C3AE3777695C1872FEC6EC</rdf:li> <rdf:li>xmp.did:2D3EE8CC6F8411E28D27DCD4520DCB0F</rdf:li> <rdf:li>xmp.did:50C7AFE62777E51190A4F35E02B612E0</rdf:li> <rdf:li>xmp.did:95C5C011DF86E511A371C347942F072E</rdf:li> <rdf:li>xmp.did:983093193DA3E211873CD80DB4C51768</rdf:li> <rdf:li>xmp.did:C3B4BAD87B7DE51190A4F35E02B612E0</rdf:li> <rdf:li>xmp.did:CAD51F30C786E51189FA8ACB22D471FA</rdf:li> <rdf:li>xmp.did:D405C801A787E51189FA8ACB22D471FA</rdf:li> <rdf:li>xmp.did:F2605B932D86E51189FA8ACB22D471FA</rdf:li> </rdf:Bag> </photoshop:DocumentAncestors> </rdf:Description> </rdf:RDF> </x:xmpmeta>      

 

 

 

any idea what this is?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           <?xpacket end="w"?>



#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:26 PM

Posted 08 August 2016 - 10:57 PM

That's data from when you were installing software, temp data to be deleted. Nothing to be concerned about.

 

Your help is being looked at by my mentors. It can take a day or so before everything is verified and given the ok.



#7 Datura007

Datura007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 09 August 2016 - 12:11 AM

The file was created today and I did not install anything today. In the file it references an E:\Ideas folder. I have an E:\ drive but I have no such folder.

 

How can I figure out who or what created that file? 



#8 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:26 PM

Posted 09 August 2016 - 12:44 AM

Figure out which poker game you were playing when the file was created.



#9 Datura007

Datura007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 09 August 2016 - 02:24 AM

You are right. They seem to have been created by an auto update from the poker client.

 

What would you like me to do next? 



#10 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:26 PM

Posted 09 August 2016 - 03:10 AM

Please wait for my post to you to be checked by my trainers, then I will post it.



#11 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:26 PM

Posted 10 August 2016 - 04:29 PM

Hi Datura007,

 

Thanks for your patience.

 

When you ran ESET Poweliks cleaner did it detect anything?

 

Are you able to capture the process ID's of the processes that are causing concern please. The dllhost executables you're seeing - are these named dllhost.exe or dllhost.exe.32* ?

 

Have you had Teamviewer installed on your machine?

 

Feel free to disable Remote Desktop if you don't use it.

 

2hrmr9e.jpg  Please download rKill to your desktop.

  • Right click the file > Run As Administrator.
  • If you have any difficulty running the the tool please use an alternative from this page
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

 14sfb01.jpg Please download AdwCleaner and save to your Desktop.

  • Right click and "Run as Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Report button...a logfile will open in Notepad for review.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool, or you can save it to the desktop to be easily found for your reply.

Please copy and paste both the logs into your reply.

 

TsVk!



#12 Datura007

Datura007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 11 August 2016 - 10:57 PM

Poweliks did not detect anything. I will keep my eye on the dllhost.exe process. I should use Process Explorer for this right? 

Teamviewer is not installed, but I use it occasionally as a "run once" application. I stopped installing it after the Teamviewer hack 2 months ago. 

I disabled Remote Desktop as soon as I installed W7 which is why I thought it was weird for the start menu entry to just show up. 

 

rKill and AdwCleaner both seem clean. 25x.exe is a hotkey script I made. 

 

 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 08/11/2016 12:09:15 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\iPad\Desktop\+ +  Poker  + +\KeePass-2.25\KeePass.exe (PID: 4056) [UP-HEUR]
 * C:\Users\iPad\AppData\Local\Temp\TeamViewer\TeamViewer_.exe (PID: 4020) [T-HEUR]
 * C:\Users\iPad\Desktop\+ +  Poker  + +\25.exe (PID: 3712) [UP-HEUR]
 
3 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
 * TBS [Missing Service]
 * WMPNetworkSvc [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 08/11/2016 12:09:37 PM
Execution time: 0 hours(s), 0 minute(s), and 22 seconds(s)
 
 
 
 
# AdwCleaner v5.201 - Logfile created 11/08/2016 at 12:11:55
# Updated 30/06/2016 by ToolsLib
# Database : 2016-08-10.2 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (X64)
# Username : iPad - IPAD-PC
# Running from : C:\Users\iPad\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
[C:\Users\iPad\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : uk.ask.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[S1].txt - [743 bytes] - [11/08/2016 12:11:55]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [815 bytes] ##########
 


#13 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:26 PM

Posted 11 August 2016 - 11:38 PM

You can use Windows task manager to (right click toolbar > Start Task manager > Show Processes from all users) check your running processes.

 

You could see 3 or 4 dllhost.exe's in there. Do you see dllhost.exe.32* also?


Edited by TsVk!, 11 August 2016 - 11:41 PM.


#14 Datura007

Datura007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 12 August 2016 - 05:39 AM

So today during work I used Wireshark to capture packets. As soon as I opened Wireshark some players instantly quit playing me. I am not knowledgeble enough to interpret the Wireshark capture, but I have saved the files if you want to have a look at them. Something to note is that there was no UDP traffic visible.

 

Soon after that a new folder called %SystemDrive% appeared on my desktop. The folder has the following structure: %SystemDrive%\ProgramData\Microsoft\Windows\Caches and contains 3 files: 

 

{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db

{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db

cversions.2.db

 

I have zipped up and upload the files here: http://s000.tinyupload.com/index.php?file_id=40751914758503427843

 

After that my virtual machine guest started acting weird. It has been doing that in the past days sometimes using 100% CPU. So I ran MBAM on it and it found a trojan on there: http://imgur.com/a/dAmnn

 

 

After that I went to my host's system's Event Viewer and I found a lot of new entries made. I have made screenshots of some of them: http://imgur.com/a/uJ7Jq

 

 

I dont know what the Windows Image Aquisition service is but it sounds scary. Does this allow for screenshot grabbing? Also the DNS entries worry me, what are those?

 

Are you able to look at my Wireshark .pcap files?

 

Thanks once again for your help.



#15 Datura007

Datura007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 12 August 2016 - 05:52 AM

I would like to add that I have taken my laptop offline since the last post. I have also not removed the trojan on the guest system incase it is something you would like to look at. Maybe we can find the origin.

 

Another thing to mention: I have had my laptop disconnect from the internet once a few days ago and it took nearly 15 minutes for the computer to get an internet connection again. All this time other devices on my network functioned without a hickup.

 

 

edit: another thing to add is that two dllhost.exe processes that are only visible in task manager when I check " show processes from all users" disappear as soon as I open task manager. This is 100% reproducible. They run on the SYSTEM user name. 

 

And then I just noticed that there are a few new files in the Temp folder. When I try to open them I cant because they are in use by another process. When I try to copy them I cant because they are in use by COM Surrogate, which is dllhost.exe right? So weird....

 

 

ivvmZk0.png


Edited by Datura007, 12 August 2016 - 06:08 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users