Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HitMan Pro found suspicious file, publisher Microsoft?


  • Please log in to reply
2 replies to this topic

#1 kikicool

kikicool

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 20 July 2017 - 10:28 AM

Hi, all. You guys have helped me out of ridiculous situations in the past. Like, my computer turning Russian suddenly sort of ridiculous. I'm hoping you can help again. So Hitman pro, which I've been running daily, found a suspicious file. I looked at the details and well, it looks UNsuspicious to me. HMP seems to think it may be a rootkit. I have copied the scan details below. Should I delete this suspicious file? 

 

I downloaded HMP because a while ago, I got a pop up insisting that I had a virus installed and I researched this pop-up and it was false. 

 

Other than the computer now and then turning black for a second, everything seems totally fine. 

 

I am running Windows 10 on an Asus. 

I used the free version of HMP, which can't delete and viruses if I need to anyway. 

 

I appreciate ANY AND ALL INPUT!! because I'm slightly, or entirely technophobic. :)  :flowers: THANK YOU!!! :) Katie

 

 

Properties
Name svchost.exe
Location C:\WINDOWS\system32
Size 46.5 KB
Time 37.9 days ago (2017-06-12 12:36:09)
Authenticode Valid
Entropy 6.0
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description Host Process for Windows Services
Version 10.0.15063.0
Copyright © Microsoft Corporation. All rights reserved.
RSA Key Size 2048
Service WpnUserService_43083b7
Process Type Critical
LanguageID 1033
SHA-256 9F21E51442209BCEC0EA4A468EF8A4741685AE204D5063F4C3E45E1F8CF72643
 
Scoring (24.0)
The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
This program is actively listening for inbound network connections.
Program starts automatically without user intervention.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Starts automatically as a service during system bootup.
This file's process is marked as system critical.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
Program is code signed with a valid Authenticode certificate.
 
Memory
PID 8
PID 480
PID 680
PID 952
PID 976
PID 1120
PID 1136
PID 1172
PID 1220
PID 1292
PID 1312
PID 1372
PID 1472
PID 1480
PID 1488
PID 1620
PID 1628
PID 1692
PID 1800
PID 1808
PID 1840
PID 1848
PID 1940
PID 1996
PID 2028
PID 2204
PID 2212
PID 2220
PID 2256
PID 2364
PID 2416
PID 2456
PID 2512
PID 3124
PID 3156
PID 3232
PID 3400
PID 3500
PID 3508
PID 3572
PID 3596
PID 3636
PID 3720
PID 3768
PID 3848
PID 3864
PID 3884
PID 3944
PID 3956
PID 4440
PID 4916
PID 5008
PID 5204
PID 5256
PID 6180
PID 6872
PID 7012
PID 7044
PID 7560
PID 7832
PID 7920
PID 8120
PID 8692
PID 8776
PID 9056
PID 9476
PID 9824
PID 10328
PID 10696
PID 11072
PID 11464
PID 12756
PID 12860
PID 13108
 
Startup
HKLM\SYSTEM\ControlSet001\Services\CDPUserSvc_43083b7\
HKLM\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_43083b7\
HKLM\SYSTEM\ControlSet001\Services\MessagingService_43083b7\
HKLM\SYSTEM\ControlSet001\Services\OneSyncSvc_43083b7\
HKLM\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_43083b7\
HKLM\SYSTEM\ControlSet001\Services\UnistoreSvc_43083b7\
HKLM\SYSTEM\ControlSet001\Services\UserDataSvc_43083b7\
HKLM\SYSTEM\ControlSet001\Services\WpnUserService_43083b7\
HKLM\SYSTEM\CurrentControlSet\Services\AJRouter\
HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc\
HKLM\SYSTEM\CurrentControlSet\Services\Appinfo\
HKLM\SYSTEM\CurrentControlSet\Services\AppReadiness\
HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc\
HKLM\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder\
HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv\
HKLM\SYSTEM\CurrentControlSet\Services\AxInstSV\
HKLM\SYSTEM\CurrentControlSet\Services\BDESVC\
HKLM\SYSTEM\CurrentControlSet\Services\BFE\
HKLM\SYSTEM\CurrentControlSet\Services\BITS\
HKLM\SYSTEM\CurrentControlSet\Services\BrokerInfrastructure\
HKLM\SYSTEM\CurrentControlSet\Services\Browser\
HKLM\SYSTEM\CurrentControlSet\Services\BthHFSrv\
HKLM\SYSTEM\CurrentControlSet\Services\bthserv\
HKLM\SYSTEM\CurrentControlSet\Services\CDPSvc\
HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc\
HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_5088470\
HKLM\SYSTEM\CurrentControlSet\Services\CertPropSvc\
HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC\
HKLM\SYSTEM\CurrentControlSet\Services\CoreMessagingRegistrar\
HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc\
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
HKLM\SYSTEM\CurrentControlSet\Services\defragsvc\
HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationService\
HKLM\SYSTEM\CurrentControlSet\Services\DeviceInstall\
HKLM\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc\
HKLM\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc_5088470\
HKLM\SYSTEM\CurrentControlSet\Services\DevQueryBroker\
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\
HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack\
HKLM\SYSTEM\CurrentControlSet\Services\DmEnrollmentSvc\
HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice\
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\
HKLM\SYSTEM\CurrentControlSet\Services\DoSvc\
HKLM\SYSTEM\CurrentControlSet\Services\dot3svc\
HKLM\SYSTEM\CurrentControlSet\Services\DPS\
HKLM\SYSTEM\CurrentControlSet\Services\DsmSvc\
HKLM\SYSTEM\CurrentControlSet\Services\DsSvc\
HKLM\SYSTEM\CurrentControlSet\Services\DusmSvc\
HKLM\SYSTEM\CurrentControlSet\Services\EapHost\
HKLM\SYSTEM\CurrentControlSet\Services\embeddedmode\
HKLM\SYSTEM\CurrentControlSet\Services\EntAppSvc\
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\
HKLM\SYSTEM\CurrentControlSet\Services\EventSystem\
HKLM\SYSTEM\CurrentControlSet\Services\fdPHost\
HKLM\SYSTEM\CurrentControlSet\Services\FDResPub\
HKLM\SYSTEM\CurrentControlSet\Services\fhsvc\
HKLM\SYSTEM\CurrentControlSet\Services\FontCache\
HKLM\SYSTEM\CurrentControlSet\Services\FrameServer\
HKLM\SYSTEM\CurrentControlSet\Services\gpsvc\
HKLM\SYSTEM\CurrentControlSet\Services\hidserv\
HKLM\SYSTEM\CurrentControlSet\Services\HomeGroupListener\
HKLM\SYSTEM\CurrentControlSet\Services\HomeGroupProvider\
HKLM\SYSTEM\CurrentControlSet\Services\HvHost\
HKLM\SYSTEM\CurrentControlSet\Services\icssvc\
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT\
HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\
HKLM\SYSTEM\CurrentControlSet\Services\IpxlatCfgSvc\
HKLM\SYSTEM\CurrentControlSet\Services\irmon\
HKLM\SYSTEM\CurrentControlSet\Services\KtmRm\
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\
HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\
HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager\
HKLM\SYSTEM\CurrentControlSet\Services\lltdsvc\
HKLM\SYSTEM\CurrentControlSet\Services\lmhosts\
HKLM\SYSTEM\CurrentControlSet\Services\LSM\
HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker\
HKLM\SYSTEM\CurrentControlSet\Services\MessagingService\
HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_5088470\
HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc\
HKLM\SYSTEM\CurrentControlSet\Services\MSiSCSI\
HKLM\SYSTEM\CurrentControlSet\Services\NaturalAuthentication\
HKLM\SYSTEM\CurrentControlSet\Services\NcaSvc\
HKLM\SYSTEM\CurrentControlSet\Services\NcbService\
HKLM\SYSTEM\CurrentControlSet\Services\NcdAutoSetup\
HKLM\SYSTEM\CurrentControlSet\Services\Netman\
HKLM\SYSTEM\CurrentControlSet\Services\netprofm\
HKLM\SYSTEM\CurrentControlSet\Services\NetSetupSvc\
HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc\
HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc\
HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\
HKLM\SYSTEM\CurrentControlSet\Services\nsi\
HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc\
HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_5088470\
HKLM\SYSTEM\CurrentControlSet\Services\p2pimsvc\
HKLM\SYSTEM\CurrentControlSet\Services\p2psvc\
HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc\
HKLM\SYSTEM\CurrentControlSet\Services\PhoneSvc\
HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc\
HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_5088470\
HKLM\SYSTEM\CurrentControlSet\Services\pla\
HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay\
HKLM\SYSTEM\CurrentControlSet\Services\PNRPAutoReg\
HKLM\SYSTEM\CurrentControlSet\Services\PNRPsvc\
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\
HKLM\SYSTEM\CurrentControlSet\Services\Power\
HKLM\SYSTEM\CurrentControlSet\Services\PrintNotify\
HKLM\SYSTEM\CurrentControlSet\Services\ProfSvc\
HKLM\SYSTEM\CurrentControlSet\Services\QWAVE\
HKLM\SYSTEM\CurrentControlSet\Services\RasAuto\
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\
HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\
HKLM\SYSTEM\CurrentControlSet\Services\RetailDemo\
HKLM\SYSTEM\CurrentControlSet\Services\RmSvc\
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\
HKLM\SYSTEM\CurrentControlSet\Services\SCardSvr\
HKLM\SYSTEM\CurrentControlSet\Services\ScDeviceEnum\
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
HKLM\SYSTEM\CurrentControlSet\Services\SCPolicySvc\
HKLM\SYSTEM\CurrentControlSet\Services\SDRSVC\
HKLM\SYSTEM\CurrentControlSet\Services\seclogon\
HKLM\SYSTEM\CurrentControlSet\Services\SEMgrSvc\
HKLM\SYSTEM\CurrentControlSet\Services\SENS\
HKLM\SYSTEM\CurrentControlSet\Services\SensorService\
HKLM\SYSTEM\CurrentControlSet\Services\SensrSvc\
HKLM\SYSTEM\CurrentControlSet\Services\SessionEnv\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection\
HKLM\SYSTEM\CurrentControlSet\Services\shpamsvc\
HKLM\SYSTEM\CurrentControlSet\Services\smphost\
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\
HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV\
HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\
HKLM\SYSTEM\CurrentControlSet\Services\StateRepository\
HKLM\SYSTEM\CurrentControlSet\Services\stisvc\
HKLM\SYSTEM\CurrentControlSet\Services\StorSvc\
HKLM\SYSTEM\CurrentControlSet\Services\svsvc\
HKLM\SYSTEM\CurrentControlSet\Services\swprv\
HKLM\SYSTEM\CurrentControlSet\Services\SysMain\
HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker\
HKLM\SYSTEM\CurrentControlSet\Services\TabletInputService\
HKLM\SYSTEM\CurrentControlSet\Services\TapiSrv\
HKLM\SYSTEM\CurrentControlSet\Services\TermService\
HKLM\SYSTEM\CurrentControlSet\Services\Themes\
HKLM\SYSTEM\CurrentControlSet\Services\tiledatamodelsvc\
HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc\
HKLM\SYSTEM\CurrentControlSet\Services\TokenBroker\
HKLM\SYSTEM\CurrentControlSet\Services\TrkWks\
HKLM\SYSTEM\CurrentControlSet\Services\tzautoupdate\
HKLM\SYSTEM\CurrentControlSet\Services\UmRdpService\
HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc\
HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_5088470\
HKLM\SYSTEM\CurrentControlSet\Services\upnphost\
HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc\
HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_5088470\
HKLM\SYSTEM\CurrentControlSet\Services\UserManager\
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\
HKLM\SYSTEM\CurrentControlSet\Services\vmicguestinterface\
HKLM\SYSTEM\CurrentControlSet\Services\vmicheartbeat\
HKLM\SYSTEM\CurrentControlSet\Services\vmickvpexchange\
HKLM\SYSTEM\CurrentControlSet\Services\vmicrdv\
HKLM\SYSTEM\CurrentControlSet\Services\vmicshutdown\
HKLM\SYSTEM\CurrentControlSet\Services\vmictimesync\
HKLM\SYSTEM\CurrentControlSet\Services\vmicvmsession\
HKLM\SYSTEM\CurrentControlSet\Services\vmicvss\
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\
HKLM\SYSTEM\CurrentControlSet\Services\WalletService\
HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc\
HKLM\SYSTEM\CurrentControlSet\Services\Wcmsvc\
HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc\
HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost\
HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost\
HKLM\SYSTEM\CurrentControlSet\Services\WebClient\
HKLM\SYSTEM\CurrentControlSet\Services\Wecsvc\
HKLM\SYSTEM\CurrentControlSet\Services\WEPHOSTSVC\
HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport\
HKLM\SYSTEM\CurrentControlSet\Services\WerSvc\
HKLM\SYSTEM\CurrentControlSet\Services\WFDSConMgrSvc\
HKLM\SYSTEM\CurrentControlSet\Services\WiaRpc\
HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\
HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\
HKLM\SYSTEM\CurrentControlSet\Services\WinRM\
HKLM\SYSTEM\CurrentControlSet\Services\wisvc\
HKLM\SYSTEM\CurrentControlSet\Services\WlanSvc\
HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc\
HKLM\SYSTEM\CurrentControlSet\Services\wlpasvc\
HKLM\SYSTEM\CurrentControlSet\Services\workfolderssvc\
HKLM\SYSTEM\CurrentControlSet\Services\WPDBusEnum\
HKLM\SYSTEM\CurrentControlSet\Services\WpnService\
HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService\
HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_5088470\
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
HKLM\SYSTEM\CurrentControlSet\Services\wudfsvc\
HKLM\SYSTEM\CurrentControlSet\Services\WwanSvc\
HKLM\SYSTEM\CurrentControlSet\Services\xbgm\
HKLM\SYSTEM\CurrentControlSet\Services\XblAuthManager\
HKLM\SYSTEM\CurrentControlSet\Services\XblGameSave\
HKLM\SYSTEM\CurrentControlSet\Services\XboxGipSvc\
HKLM\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc\
 
Network Ports
0.0.0.0:135
0.0.0.0:49665
0.0.0.0:49666


BC AdBot (Login to Remove)

 


#2 kikicool

kikicool
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 20 July 2017 - 09:39 PM

...oh dear god. Don't tell me YOU guys are stumped, too??  :unsure: That is not a good sign for my computer. Yikes! 



#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:35 PM

Posted 21 July 2017 - 10:11 AM

kikicool:

 

If you have any concerns about that file, you can upload it to VirusTotal.  Press the "Scan it!" button.  False positives are a common occurrence with anti-malware and anti-virus scanners.

 

Let us know what you find out.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users