svhost hijacked?

Discussion in 'Windows 7' started by Micchan, Dec 9, 2016.

  1. Micchan

    Micchan MDL Novice

    Aug 7, 2016
    8
    1
    0
    #1 Micchan, Dec 9, 2016
    Last edited: Dec 10, 2016
    Hi, my Glasswire alerted me yesterday that my svhost might being hijacked image.prntscr.com/image/27fba0cd54a24578a3e9202af0b970ae.png, so I scanned with MBAM, got nothing, then I ended up system restoring from a previous disk image backup of 2 days ago,
    When I click properties of any svhost (+ all system processes) via task manager shows me size 0 bytes image.prntscr.com/image/caf939bc2fc447418013ee9e2ad5b008.png even now, but when I click on open file location > system32/svhost.exe > properties, it shows the real size
    image.prntscr.com/image/17c1fdb0f3c44bc7a82599f5303c14f4.png
    I was wondering is it normal for svhost (or all system processes) to show size 0 bytes in properties when I click properties directly via Task manager?

    My PC is Win 7 SP1 Ultimate with simplix up-to-date + latest Malwarebytes Anti-Malware + Exploit installed.
     
  2. PhaseDoubt

    PhaseDoubt MDL Expert

    Dec 24, 2011
    1,448
    278
    60
    None of mine show 0 bytes file size; I have no idea why yours would.
     
  3. NeXtStatioN

    NeXtStatioN MDL Senior Member

    Dec 29, 2014
    325
    586
    10
    Hello

    Can you calculate the SHA1 checksum of the svchost.exe file in the System32 folder ?
    (Use HashMyFiles for exemple)

    And post the SHA1 sum here

    ---
    Or upload the file to VirusTotal and give us the link to the report
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. ratnesh

    ratnesh MDL Novice

    Feb 19, 2012
    6
    1
    0
    • Format Your PC
     
  5. Micchan

    Micchan MDL Novice

    Aug 7, 2016
    8
    1
    0
    #5 Micchan, Dec 10, 2016
    Last edited: Dec 10, 2016
    (OP)
    Checksums generated by ExactFile 1.0.0.15
    12/10/2016 5:45:12 PM

    C:\Windows\System32\svchost.exe
    20992 bytes

    ADLER32: 37e8408c
    CRC32: 4b0eaf31
    MD2: 2a732a0ba3dd218a2f5a8a204ee690cf
    MD4: be3f2a22b071e3db991337117c2faef0
    MD5: 54a47f6b5e09a77e61649109c6a08866
    SHA1: 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
    SHA256: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
    SHA384: bcf15767e0ea5fee505b7cd724dfa9f6d0cd68d5b7a9a1c0d60cafd105ebc71f686233a70e0ea0b9373e3d0cd8b217d9
    SHA512: 88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
    RIPEMD128: 378f4f676a9a866d2553cb2cc27b01ee
    RIPEMD160: d803f83d339b1312e7ec3cc3cfdd195c03f510bb
    TIGER128: 5c4d02380ec008518cc2130457f7819f
    TIGER160: 5c4d02380ec008518cc2130457f7819f6531b48b
    TIGER192: 5c4d02380ec008518cc2130457f7819f6531b48b8ec30490
    GOST: ee946bd68c88e84ea376fbf26a0ab1a54a55717343d4cfd38fc1c3ffc854a6f0


    edit: all files running show 0 bytes when I open via Task manager>properties>file details,
    I din't originally checked for other files yesterday since I thought it has something to do with OS files.


    Here's my Task manager verify hashes

    Checksums generated by ExactFile 1.0.0.15
    12/10/2016 6:24:32 PM

    C:\Windows\System32\taskmgr.exe
    227328 bytes

    ADLER32: 8eaab9fd
    CRC32: 862c12d5
    MD2: 9c766578327917ac44060313dc0afd86
    MD4: f2a21830ef69b2baa42ed8c80d8f400b
    MD5: 545bf7eaa24a9e062857d0742ec0b28a
    SHA1: d748d5b325e5dd4fadeb837a59f61e55d2636d31
    SHA256: 50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf
    SHA384: 832e32d0a91ed59d3618f25e9f45de2265690e1f1943f9dd4fd5aee17d2d6b3ec1eb66380ca982450985b2c9494d8b9c
    SHA512: b132a23f443a75deb7bd10415efb871524b63860b2eb30a198dea2f7e67a1fa3bcdc5344dc98f306c8b93452329d6422d5264c1d64a403abeaf7db1662980f1a
    RIPEMD128: eb3dbfb02f829f54a7a28beedde214ca
    RIPEMD160: f5c86de6c3f1dd3b94a919724829f8837f3c1aae
    TIGER128: e5d1be0f459ab87ed78bd296fccf5582
    TIGER160: e5d1be0f459ab87ed78bd296fccf5582f177ca4e
    TIGER192: e5d1be0f459ab87ed78bd296fccf5582f177ca4ed6133198
    GOST: a9cfd40389a6b7244fbf7db92b9450c2f055d4396171bc0082e6448de9af96a0
     
  6. NeXtStatioN

    NeXtStatioN MDL Senior Member

    Dec 29, 2014
    325
    586
    10
    #6 NeXtStatioN, Dec 10, 2016
    Last edited: Dec 10, 2016
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. NeXtStatioN

    NeXtStatioN MDL Senior Member

    Dec 29, 2014
    325
    586
    10
    RogueKiller is one of them
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Micchan

    Micchan MDL Novice

    Aug 7, 2016
    8
    1
    0
    #9 Micchan, Dec 11, 2016
    Last edited: Dec 11, 2016
    (OP)
    Booted into safe mode & ran as administrator,
    I got nothing with DarkCometRemover.
    Here's my RogueKiller log

    RogueKiller V12.8.4.0 [Dec 5 2016] (Free) by Adlice Software

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Safe mode
    User : compaq [Administrator]
    Started from : E:\Downloads\Programs\RogueKiller.exe
    Mode : Delete -- Date : 12/10/2016 21:59:42 (Duration : 00:14:53)

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 6 ¤¤¤
    [Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{cacd3178-4c86-52cb-87bf-eb0ef10e6e26} (C:\Users\compaq\AppData\Roaming\JPL-NASA-Caltech\NASA's Eyes\npNASAEyes.dll) -> Deleted
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DF269D74-5AE1-4915-A41B-806027A0A815} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE|Name=LogiOptionsMgr.EXE|Desc=LogiOptionsMgr.EXE| [7] -> Deleted
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DF269D74-5AE1-4915-A41B-806027A0A815} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE|Name=LogiOptionsMgr.EXE|Desc=LogiOptionsMgr.EXE| [7] -> Deleted
    [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Replaced (2)
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-4247704052-1317690640-1364796352-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Replaced (1)
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-4247704052-1317690640-1364796352-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Replaced (1)

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ WMI : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: TOSHIBA DT01ACA200 ATA Device +++++
    --- User ---
    [MBR] 348a123da8cac430ae71cb08cd5b1848
    [BSP] a8c1f2d06ea7412209ccd8594377808c : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 107628 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 220628992 | Size: 899999 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2063826944 | Size: 900000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK


    Currently downloading Windows 7 SP1 Media Refresh ISO from Daz's thread.
     
  9. NeXtStatioN

    NeXtStatioN MDL Senior Member

    Dec 29, 2014
    325
    586
    10
    Did you try to run MBAM in Safe Mode using Chameleon ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. PhaseDoubt

    PhaseDoubt MDL Expert

    Dec 24, 2011
    1,448
    278
    60
    So RogueKiller will ID the presence of DarkComet. Then it seems prudent to run it and see what it says. Its outcome will determine the next step right?

    Is MBAM capable of determining the presence of DarkComet and removing it? I'm confused, which program, or programs, are you recommending to detect and remove DarkComet: RogueKiller or MBAM or both maybe?
     
  11. NeXtStatioN

    NeXtStatioN MDL Senior Member

    Dec 29, 2014
    325
    586
    10
    Both are supposed to detect it (the RogueKiller developer now works for Malwarebytes) but RogueKiller is more powerful in its tasks


    For what I've seen in the RogueKiller report, no files related with any "malicious" threats.
    Which seems strange.
    Why svchost.exe changed ? Why it lost it signature ? But why it isn't detected ?
    I need to do further researches on this.

    So, Micchan , keep the ISO safe somewhere until changes
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. ratnesh

    ratnesh MDL Novice

    Feb 19, 2012
    6
    1
    0
    Download Autoruns and check checksums for all files there and scan them .. ( virus total )
    looks like Your PC is infected so badly .. :(


    Download and run Hitman Pro ( Optionally )
     
  13. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,175
    10,934
    340
    The checksums of svchost.exe and taskmgr.exe are perfectly right! Showing 0 bytes indicates manipulation of filesystem/fileinfo (metadata)...not the data themselves

    svchost version: 6.1.7600.16385
    taskmgr.exe: 6.1.7601.17514
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. NeXtStatioN

    NeXtStatioN MDL Senior Member

    Dec 29, 2014
    325
    586
    10
    But a loss of file signature may be from a rootkit operating on the process directly in RAM
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Micchan

    Micchan MDL Novice

    Aug 7, 2016
    8
    1
    0
    #16 Micchan, Jan 6, 2017
    Last edited: Jan 6, 2017
    (OP)
    Hi, Micchan here.
    Sorry for the late reply, was away for Christmas holidays
    Currently up-to-date with Simplix Dec + .NET 4.6.2 update.
    NetBiOS & other network sharing shenanigans + bad services disabled + decided to set network to public for additional security
    Ran combofix after a fresh re-install from SP1Media-U
    Here's log
    ComboFix 17-01-04.01 - Satoshi80 01/04/2017 22:16:24.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2037.1489 [GMT 5.5:30]
    Running from: c:\users\Satoshi80\Desktop\m9fnx0.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-12-04 to 2017-01-04 )))))))))))))))))))))))))))))))
    .
    .
    2017-01-05 05:53 . 2017-01-04 16:29--------d-----w-c:\windows\Panther
    2017-01-04 16:48 . 2017-01-04 16:48--------d-----w-c:\users\Default\AppData\Local\temp
    2017-01-04 16:29 . 2017-01-04 16:29--------d-----w-c:\users\Satoshi80
    2017-01-04 16:29 . 2017-01-04 16:29--------d-----w-C:\Recovery
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 53552043
    *Deregistered* - 53552043
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-53552043.sys
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2017-01-04 22:19:45
    ComboFix-quarantined-files.txt 2017-01-04 16:49
    .
    Pre-Run: 103,210,217,472 bytes free
    Post-Run: 103,137,792,000 bytes free
    .
    - - End Of File - - 616CE89F4BB9B44B8C5C663591A4DB46
    A36C5E4F47E84449FF07ED3517B43A31

    GMER GMER 2.2.19882
    Rootkit scan 2017-01-06 15:46:13
    Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-3 TOSHIBA_DT01ACA200 rev.MX4OABB0 1863.02GB
    Running: mfdg7dt.exe; Driver: C:\Users\SATOSH~1\AppData\Local\Temp\kwldauog.sys


    ---- Kernel code sections - GMER 2.2 ----

    .text ntkrnlpa.exe!ZwRenameKey + 1549 82A75F05 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB0292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}


    judging from CF registry loading points, most seem to be related to RDP?:confused:

    oh & I forgot there were (rogue?) dhcp severs which zhp removed
    ~ ZHPCleaner v2017.1.2.1 by Nicolas Coolman (2017/01/02)
    ~ Run by Satoshi80 (Administrator) (04/01/2017 22:06:25)
    ~ Web:
    ~ Blog:
    ~ Facebook :
    ~ State version :
    ~ Type : Repair
    ~ Report : C:\Users\Satoshi80\Desktop\ZHPCleaner.txt
    ~ Quarantine : C:\Users\Satoshi80\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
    ~ UAC : Activate
    ~ Boot Mode : Normal (Normal boot)
    Windows 7 Ultimate, 32-bit Service Pack 1 (Build 7601)


    ---\\ Services (0)
    ~ No malicious or unnecessary items found.


    ---\\ Browser internet (0)
    ~ No malicious or unnecessary items found.


    ---\\ Hosts file (1)
    ~ The hosts file is legitimate (21)


    ---\\ Scheduled automatic tasks. (0)
    ~ No malicious or unnecessary items found.


    ---\\ Explorer ( File, Folder) (0)
    ~ No malicious or unnecessary items found.


    ---\\ Registry ( Key, Value, Data) (1)
    DELETED data: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer [Bad : 172.31.79.142 172.31.79.144 157.54.104.75 157.54.14.146 157.54.14.162 157.54.80.10] =>Hijacker.Browser


    ---\\ Summary of the elements found (1)
    =>Hijacker.Browser


    ---\\ Other deletions. (4)
    ~ Registry Keys Tracing deleted (4)
    ~ Remove the old reports ZHPCleaner. (0)


    ---\\ Result of repair
    ~ Repair carried out successfully
    ~ Browser not found (Google Chrome)
    ~ Browser not found (Mozilla Firefox)
    ~ Browser not found (Opera Software)


    ---\\ Statistics
    ~ Items scanned : 200
    ~ Items found : 0
    ~ Items cancelled : 0
    ~ Items repaired : 1


    ~ End of clean in 00h00mn05s
    ~====================
    ZHPCleaner-[R]-04012017-22_06_30.txt
    ZHPCleaner--04012017-22_05_46.txt
     
  16. LatinMcG

    LatinMcG Bios Borker

    Feb 27, 2011
    5,393
    1,465
    180
    just to make sure ..u could run sfc /scannow from usb boot command prompt with /offbootdir and /offwindir

    then maybe run windows repair portable in safemode with net.