Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Trojan.WisdomEyes?


  • Please log in to reply
7 replies to this topic

#1 Senvah

Senvah

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 24 February 2018 - 11:28 PM

I was using process explorer and found one dll that was scanned by virus total.

 

https://www.virustotal.com/en/file/b0993d1040c91ffb9b5edbfcbf9885887c90a01e9a7dd4218fa0d09a05c42097/analysis/1519532432/

 

Is this a false positive or a infection?

 

Edit: I am using windows 10 and I use malwarebytes, adwcleaner, and roguekiller. 

I haven't taken any other steps other than scanning with these scanners to remove anything malicious from the computer.


Edited by Senvah, 25 February 2018 - 12:53 AM.


BC AdBot (Login to Remove)

 


#2 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 856 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 25 February 2018 - 01:36 AM

audiosrv.dll is a legitimate Windows file that should be located at C:\Windows\System32\audiosrv.dll.

https://www.bleepingcomputer.com/startups/audiosrv.dll-16921.html

If the file you scanned is in that location then it is highly likely that the single "detection" by Baidu is a false positive.

To check further if it's a Windows file or not, go to C:\Windows\System32, right click on audiosrv.dll, select Properties then Details which should say it was made by Microsoft.

 

Do you have any other symptoms, or reasons to suspect that you may have contracted an infection ?



#3 Senvah

Senvah
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 25 February 2018 - 06:39 PM

I have logs from other scanners detecting maybe minor stuff but other than that I don't really have any other evidence than that. 

Also I thought malware/trojans/keyloggers/backdoors/rootkits can inject themselves into legitimate dll processes? 

That's probably one of the reasons I think I might be infected, anyways thanks for the reply.

 

Edit: Aren't the purpose of those things so they can go unnoticed as long as possible and cause as much damage?


Edited by Senvah, 25 February 2018 - 06:40 PM.


#4 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 856 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 26 February 2018 - 12:52 AM

Yes it is possible to inject code into an existing executable, and many infection writers use that technique to hide their creations, however when there's only one AV program making a detection, then it's much more likely that the detection is a false positive.

 

Had the file been flagged by a few more AVs then it would have been advisable to check further, but with only a single detection out of 67 scans, the odds are high that Baidu's detection is a false one.

 

If you'd had any corroborating symptoms or problems, it would similarly warrant additional checks, but as you don't seem to have any, I think it's probably safe to assume that that dll is OK.


Edited by Gary R, 26 February 2018 - 12:55 AM.


#5 Senvah

Senvah
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 27 February 2018 - 05:04 AM

Thanks for getting back with me Gary.
I was wondering if you could still help me take a look at my PC? 
Here are the logs I was talking about.
I have to copy and paste them since I can't seem to find out how to add attachments unless its hiding in plain site and I just don't see it.
 
# AdwCleaner 7.0.8.0 - Logfile created on Sun Feb 25 03:49:03 2018
# Updated on 2018/08/02 by Malwarebytes 
# Database: 02-23-2018.2
# Running on Windows 10 Home (X64)
# Mode: scan
# Support:
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Value] - HKU\S-1-5-21-390732751-2260908807-2568724713-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run | Application Restart #1
PUP.Optional.Legacy, [Value] - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [1954 B] - [2018/1/8 7:43:30]
C:/AdwCleaner/AdwCleaner[S0].txt - [1819 B] - [2018/1/8 7:35:17]
C:/AdwCleaner/AdwCleaner[S1].txt - [1077 B] - [2018/1/8 7:55:45]
C:/AdwCleaner/AdwCleaner[S2].txt - [1143 B] - [2018/1/8 9:25:42]
C:/AdwCleaner/AdwCleaner[S3].txt - [1209 B] - [2018/1/9 22:58:3]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt ##########
 
Adwcleaner second scan log 
 

# AdwCleaner 7.0.6.0 - Logfile created on Mon Jan 08 07:43:30 2018
# Updated on 2017/21/12 by Malwarebytes 
# Running on Windows 10 Home (X64)
# Mode: clean
# Support:
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
No malicious folders deleted.
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.solvusoft.com
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [1819 B] - [2018/1/8 7:35:17]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########
 
I can't find the rogue killer log but it did find and remove stuff from that too.

 


Edited by Senvah, 27 February 2018 - 06:05 AM.


#6 Senvah

Senvah
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 28 February 2018 - 03:23 AM

Sometimes chrome tabs opens pages without me opening them.



#7 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 856 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 28 February 2018 - 05:05 AM

OK, this is not the place to post logs, if you need me to check your computer for infection you need to open a topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum.

Please follow the instructions in the Preparation Guide which will let you know what you need to do.

Please post me a link to your new topic once you've posted your FRST logs in it.



#8 Senvah

Senvah
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 28 February 2018 - 11:52 PM

Thanks for your help Gary, here is the link to the new topic.

Sorry about posting the logs here.

 

https://www.bleepingcomputer.com/forums/t/672031/frst-logs/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users