Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something. Anti-malware tools can't find it.


  • This topic is locked This topic is locked
9 replies to this topic

#1 prugoclepr

prugoclepr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 31 October 2017 - 07:20 PM

The first symptom I noticed was it was auto-muting my microphone.

 

Instructions online said to track down svchost.exe instances run under my name. Found a couple. Killed them, ran malwarebytes, found nothing.

 

I've also tried multiple other anti-malware tools including adwcleaner, zemana, and one or two others. Can't find anything.

 

But I do have eight suspicious looking services in my services window I can't permanently disable (if I turn them off from starting up and reboot, they're re-enabled), each mimicking the name of a legit service with added characters appended to the end.

 

Attached File  Bah.png   17.85KB   0 downloads

 

Attached File  FRST.txt   77.51KB   6 downloads

 

Attached File  Addition.txt   126.08KB   2 downloads

 

Help? Please? Thank you.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:18 AM

Posted 01 November 2017 - 10:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Duplicate Cleaner Free 3.2.7 (HKLM-x32\...\Duplicate Cleaner Free) (Version: 3.2.7 - DigitalVolcano Software Ltd) <==== ATTENTION
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Microsoft Corporation) C:\Windows\System32\msconfig.exe
FF Extension: (BetterTTV) - C:\Users\Moleculor\AppData\Roaming\Mozilla\Firefox\Profiles\6p6djldf.default\Extensions\firefox@betterttv.net.xpi [2017-07-07]
FF Extension: (Abduction!) - C:\Users\Moleculor\AppData\Roaming\Mozilla\Firefox\Profiles\6p6djldf.default\Extensions\{b0e1b4a6-2c6f-4e99-94f2-8e625d7ae255}.xpi [2016-07-18]
FF Extension: (Search Image by Bing) - C:\Users\Moleculor\AppData\Roaming\Mozilla\Firefox\Profiles\6p6djldf.default\Extensions\{ec5ca6fe-1c60-4371-8046-674fec255327}.xpi [2016-04-30]
CHR Extension: (Chrome Media Router) - C:\Users\Moleculor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-03]
CustomCLSID: HKU\S-1-5-21-1003572329-3573382147-1830730956-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Moleculor\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1003572329-3573382147-1830730956-1001_Classes\CLSID\{8A589AFF-8DA8-49C5-B89B-20C9DF31F2B7}\InprocServer32 -> C:\Users\Moleculor\AppData\Local\Google\Update\1.3.30.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1003572329-3573382147-1830730956-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Moleculor\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1003572329-3573382147-1830730956-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Moleculor\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
AlternateDataStreams: C:\Users\Moleculor\AppData\Local\Temp:$DATA [16]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 prugoclepr

prugoclepr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 01 November 2017 - 04:49 PM

Those strange services are still listed, and a couple were running on boot, but stopping them seemed to stick this time? (EDIT: Actually, I doubt it stuck. See below.)

 

Out of paranoia, I'm going to uncheck them from my msconfig and reboot, see if that 'sticks' as well.

 

EDIT: Unchecking them and rebooting did NOT stick, they were re-activated on boot. In addition, two of the eight were back up and running. It's always two of the eight running. And stopping doesn't seem to be sticking, still.

 

EDIT2: Sorry, missed the instruction about system restore, I have that switched on now. Oops! (I'm half tempted to create a restore point and just rip those eight registry entries out for those services, but I have no clue where they came from in the first place.)

Attached Files


Edited by prugoclepr, 01 November 2017 - 05:06 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:18 AM

Posted 02 November 2017 - 07:16 AM

Hi,

This may be caused bya 3rd party driver.


Navigate to this page.
http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector

Download and run the Flexera Software Personal Software Inspector.

Update all the 3rd party divers that are reported as needing an update.

#5 prugoclepr

prugoclepr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 02 November 2017 - 01:37 PM

No drivers of any kind were listed by the scan.

 

If 'third-party' means 'not made by manufacturer', I've only installed one of those ever, and it was UNi Unified Xonar drivers from here: http://maxedtech.com/asus-xonar-unified-drivers/

 

I uninstalled those months back, but in the interest of being thorough, I'm doing a deep clean to scrub every trace of anything related to my sound card (both manufacturer and otherwise), and then reinstalling the manufacturer's drivers again.

 

Lets assume that's not going to work, though. What would be the next step?

 

I'll reply (or edit if you haven't replied) if somehow it does solve the issue.

 

EDIT: Doing a driver clean did not remove the services, two or three are still running on boot, and killing them just starts up others. If I kill them fast enough, eventually they stop starting up, but they're still present on my machine.


Edited by prugoclepr, 02 November 2017 - 02:00 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:18 AM

Posted 03 November 2017 - 07:15 AM

Hi,

EDIT: Doing a driver clean did not remove the services, two or three are still running on boot, and killing them just starts up others. If I kill them fast enough, eventually they stop starting up, but they're still present on my machine.


Some services are hard coded in the Operating system.

Which services are you referring to?

#7 prugoclepr

prugoclepr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 03 November 2017 - 03:17 PM

The ones in the screenshot that are the same name as already existing services with the randomized string of characters appended at the end of the name. These services are not launched by the User Name 'SYSTEM' or 'NETWORK SERVICE' or 'LOCAL SERVICE' but by my user name instead.


Edited by prugoclepr, 03 November 2017 - 03:20 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:18 AM

Posted 04 November 2017 - 06:56 AM

Hi,

These services are from the Operating system.
When and if need they will be used by the Operating system.

If you need to understand these please ask in the Windows 10 Forum.
https://www.bleepingcomputer.com/forums/f/229/windows-10-support/

An expert will help you.

This is not malware and not my forte.

#9 prugoclepr

prugoclepr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 04 November 2017 - 10:37 AM

So you're saying that it's totally and entirely normal for there to be sixteen services on my machine, eight of which are legitimate Microsoft OS services, and eight of which are named identically to those same services but with randomly-generated characters on the end, and unlike every other legitimate OS service, these services launch under my username, rather than SYSTEM or NETWORK SERVICE?

 

In exactly the kind of behavior malware would have?

 

I've attached another screenshot to show the Microsoft services next to the weird ones. Each of the eight 'weird' services has an identical 'legit' looking service that does appear to be an OS-based service.

 

I'll try typing out each of the pairs, but I make no guarantees that I'm going to type the names correctly.

 

Connected Devices Platform User Service <--- Legit OS service

Connected Devices Platform User Service_1196b9 <--- Weird thing that launches under my username.

DevicesFlow <--- Legit OS service

DevicesFlow_1196b9 <--- Weird thing that launches under my username.

MessagingService <--- etc

MessagingService_1196b9 <--- etc

Sync Host

Sync Host_1196b9

Contact Data

Contact Data_1196b9

User Data Storage

User Data Storage_1196b9

User Data Access

User Data Access_1196b9

Windows Push Notifications User Service

Windows Push Notifications User Service_1196b9

 

If those eight with the random characters at the end are legitimate OS services, why are they not being launched by the OS? (i.e. SYSTEM, etc)? And why do they have identically named legitimate services? And why do they have random characters that re-randomize on every boot?

Attached Files

  • Attached File  Bah3.png   10.08KB   0 downloads

Edited by prugoclepr, 04 November 2017 - 10:41 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:18 AM

Posted 05 November 2017 - 07:51 AM



Hi,

It llooks like it from the DevicesFlow service.

https://www.tenforums.com/general-support/28509-what-devices-flow.html

and

http://servicedefaults.com/10/devicesflowusersvc/

If you need more information ask in the Windows 10 Forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users