Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious DLLs & EXEs


  • Please log in to reply
1 reply to this topic

#1 dareynedx

dareynedx

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 12 July 2017 - 10:00 PM

I am extremely confident I have an infection on this machine. I believe it to be a rookit, but it could be a garden variety trojan dropper.

 

While I wait for assistance in the Malware removal forum; Could someone please provide some insight into the following HitmanPro analysis of this Explorer.Exe file? It seems highly unusual that it is calling Windows NT logon shell. 

 

 

Properties
Name Explorer.EXE
Location C:\Windows
Size 3.1 MB
Time 4.5 days ago (2017-07-09 09:28:45)
Entropy 5.6
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description Windows Explorer
Version 6.1.7601.23537
Copyright © Microsoft Corporation. All rights reserved.
Desktop Default
LanguageID 1033
SHA-256 D5BC504277172BE5C54B60AD5C13209DC1F729131DEF084DE3EC8C72E54C58EF
 
Scoring (11.0)
Substitutes Explorer.exe as the default shell. Malware tends to start this way.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
Program has a human-computer interface (GUI). This is typical for most programs.
 
Memory
PID 1440
 
Startup
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
 
References
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
C:\Users\Main Account\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
C:\Users\Main Account\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
 
ADDITIONALLY------------------------> Google has nothing on the following dll except for the following --> http://www.win7dll.info/ipsecsvc_dll.html
 
The link seems to indicate that the dll calls other dlls capable of remotely changing firewall settings, impersonating clients, and handling inbound/outbound connections to a rogue server.
 
Properties
Name ipsecsvc.dll
Location C:\Windows\System32
Size 491 KB
Time 4.5 days ago (2017-07-09 09:28:07)
Entropy 6.1
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description Windows IPsec SPD Server DLL
Version 6.1.7601.23452
Copyright © Microsoft Corporation. All rights reserved.
Service PolicyAgent
LanguageID 1033
SHA-256 B7E6B5E1148B7EE537E8D5C3A65450876B61CD45A395267D08699746E98AD574
 
Scoring (7.0)
Starts automatically as a service during system bootup.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
 
Startup
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\
 
I can post the entire dll & exe analysis upon request.

Edited by dareynedx, 12 July 2017 - 10:10 PM.


BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 PM

Posted 13 July 2017 - 12:10 AM

Nothing wrong with explorer.exe

 

https://www.virustotal.com/en/file/d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef/analysis/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users