Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Process called System Secure


  • Please log in to reply
16 replies to this topic

#1 teslag28

teslag28

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 15 July 2018 - 05:15 PM

I see a weird process called system secure running in the task manager , i also tried process explorer but could not send it to virusTotal . If i click open file location it points me to ntoskrnl.exe in system32 folder.

I'm guessing it is a virus of some sort , any help would be appreciated.

I have attached a screenshot showing the running process in the task manager.

Thanks.

 

Attached Files


Edited by teslag28, 15 July 2018 - 05:16 PM.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 15 July 2018 - 05:27 PM

See the below link. If you don't have Windows 10 Enterprise I would not know why you have that process running.

 

https://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130



#3 Mason21

Mason21

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:35 PM

Posted 15 July 2018 - 06:46 PM

Recommend downloading process explorer  . Click "options" and "verify image signatures" . Under "virus total.com" check the option "check virus total.com" and "submit unknown executables"  The new column labeled "Virus Total" will show your processes. Processes in that column that have multiple red numbers (example .. 8/63) with the 8 in red, can indicate a possible virus or malware infection. 


Edited by Mason21, 15 July 2018 - 06:47 PM.


#4 teslag28

teslag28
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 15 July 2018 - 07:10 PM

Hey @Mason21 i did that and i got this ... attaching the image... please check.. a lot of reds in the virustotal result

Attached Files



#5 teslag28

teslag28
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 15 July 2018 - 07:17 PM

Recommend downloading process explorer  . Click "options" and "verify image signatures" . Under "virus total.com" check the option "check virus total.com" and "submit unknown executables"  The new column labeled "Virus Total" will show your processes. Processes in that column that have multiple red numbers (example .. 8/63) with the 8 in red, can indicate a possible virus or malware infection. 

Why does it say "system cannot find the file specified" and also those processes look very weird.

Attached Files



#6 Mason21

Mason21

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:35 PM

Posted 15 July 2018 - 07:44 PM

Those virustotals are not high. Probably false positives. But just in case do the steps below. 

 

First recommendation is to open up command prompt as administrator. type cmd in the windows search box wait until the blue box above pops up that says "Command Prompt" right click on the blue area and select "run as administrator" click "yes"  type in the command prompt box :  sfc /scannow  ...let this run to completion. Next, open up command prompt as administrator and type : dism /online /cleanup-image /restorehealth   let that run to completion. Next do the steps below:

 

Kaspersky is probably a false positive but I recommend running a free online scan with Eset online scanner. Do not install, run the online scan. https://www.eset.com/int/home/online-scanner/

then download and run Malwarebytes free (you will have to disable Kaspersky) run a scan and then uninstall it, if you want. 

Then, download and run adwcleaner https://www.malwarebytes.com/adwcleaner/

Try those programs to see if anything gets removed. 


Edited by Mason21, 15 July 2018 - 08:11 PM.


#7 medab1

medab1

  • Members
  • 844 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:earth
  • Local time:10:35 PM

Posted 15 July 2018 - 08:10 PM

Another way to get elevated cmd prompt---

 

screenshot_48.jpg


Learn to take screenshots & add them to your posts. :thumbup2:

https://www.bleepingcomputer.com/forums/t/43088/how-to-capture-and-edit-a-screen-shot/#entry4532851

Learn to use Google Search.  :busy:

Make full system images to restore to if your computer goes bonkers.


#8 teslag28

teslag28
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 17 July 2018 - 03:53 AM

Tried

 

Those virustotals are not high. Probably false positives. But just in case do the steps below. 

 

First recommendation is to open up command prompt as administrator. type cmd in the windows search box wait until the blue box above pops up that says "Command Prompt" right click on the blue area and select "run as administrator" click "yes"  type in the command prompt box :  sfc /scannow  ...let this run to completion. Next, open up command prompt as administrator and type : dism /online /cleanup-image /restorehealth   let that run to completion. Next do the steps below:

 

Kaspersky is probably a false positive but I recommend running a free online scan with Eset online scanner. Do not install, run the online scan. https://www.eset.com/int/home/online-scanner/

then download and run Malwarebytes free (you will have to disable Kaspersky) run a scan and then uninstall it, if you want. 

Then, download and run adwcleaner https://www.malwarebytes.com/adwcleaner/

Try those programs to see if anything gets removed. 

 Tried Everything and the results came out clean.The process still exist as PID 74 .



#9 jenae

jenae

  • Members
  • 832 posts
  • ONLINE
  •  
  • Local time:01:35 PM

Posted 17 July 2018 - 07:39 AM

Hi, what version of win 10 do you have, home, pro, education or enterprise?  



#10 teslag28

teslag28
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 17 July 2018 - 11:16 AM

Hi, what version of win 10 do you have, home, pro, education or enterprise?  

 

Windows 10 Home

Attached Files



#11 Mason21

Mason21

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:35 PM

Posted 17 July 2018 - 11:46 AM

Please type "windows features" in the search box. A pane will open up. Make sure that you do not have "hyper-v" options checked. i don't understand why you would have that process running on Windows 10 home. It is supposed to be for "enterprise"  Here is the article I pulled up about it. https://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130    If this doesn't get rid of it, wait until Jenae gets back with you. She probably knows an easy way to fix this. 


Edited by Mason21, 17 July 2018 - 11:49 AM.


#12 teslag28

teslag28
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 17 July 2018 - 01:52 PM

Please type "windows features" in the search box. A pane will open up. Make sure that you do not have "hyper-v" options checked. i don't understand why you would have that process running on Windows 10 home. It is supposed to be for "enterprise"  Here is the article I pulled up about it. https://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130    If this doesn't get rid of it, wait until Jenae gets back with you. She probably knows an easy way to fix this. 

Hyper-V option is checked off , bdw I am unable to access that link. "Site Cannot be reached". 



#13 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 17 July 2018 - 03:03 PM

I posted that link in my initial reply and I am also able to reach that link. Something is really off. In your image you show two files not found which were lsass and Lsalso. Those two files work with the Secure System Process. I would wait for jenae's reply on this. He is the go to person for the inner workings of Windows.

 

https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/

 

image_thumb_61487597.png​



#14 teslag28

teslag28
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 17 July 2018 - 05:14 PM

I posted that link in my initial reply and I am also able to reach that link. Something is really off. In your image you show two files not found which were lsass and Lsalso. Those two files work with the Secure System Process. I would wait for jenae's reply on this. He is the go to person for the inner workings of Windows.

 

https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/

 

image_thumb_61487597.png 

 

 

 

I knew it something sure is off and i might know the person that did it , I think it is a rootkit infection ... it happened few months back where this guy from work was telling me all about hacking and rootkits . he himself does malware crypters in c++ he is very good with windows and working at some ring0 ring1 or something level of a kernel/OS. I remember him telling me to insert a PD in my lappy and boot from it , i did it (now im thinking he flashed a firmware rootkit ) .Till now I was like not possible im just being paranoid , but something sure is off . I also get disconnected a lot while playing online games such as Dota . I ran GMER also last week but it either causes BSOD or the program crashes ( I did disable Kaspersky). I remember him showing me some malware he was developing which came out clean in VirustTotal .

Reason i think it is a rootkit infection is because I have formated my whole HDD multiple times but these wierd process keep coming up , also in have alot of shortcut links that say "Access Denied" and lot of NT.USR logs everywhere.

 

Attached File  Capture2.PNG   6.33KB   0 downloadsAttached File  Capture1.PNG   476.39KB   0 downloads

Attached Files:

 my Task View of the above 2 processes.

Weird Shortcuts everywhere


Edited by teslag28, 17 July 2018 - 05:16 PM.


#15 jenae

jenae

  • Members
  • 832 posts
  • ONLINE
  •  
  • Local time:01:35 PM

Posted 17 July 2018 - 06:43 PM

Hi, yes JohnC flagged this issue in his first post, I believe forum rules would prevent me from plowing in, besides our methods would reveal too much and in the wrong hands this is dangerous.

 

Please reference this thread and start a new thread on our Virus, Spyware, Malware, removal forum.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users