Hi, my Glasswire alerted me yesterday that my svhost might being hijacked image.prntscr.com/image/27fba0cd54a24578a3e9202af0b970ae.png, so I scanned with MBAM, got nothing, then I ended up system restoring from a previous disk image backup of 2 days ago, When I click properties of any svhost (+ all system processes) via task manager shows me size 0 bytes image.prntscr.com/image/caf939bc2fc447418013ee9e2ad5b008.png even now, but when I click on open file location > system32/svhost.exe > properties, it shows the real size image.prntscr.com/image/17c1fdb0f3c44bc7a82599f5303c14f4.png I was wondering is it normal for svhost (or all system processes) to show size 0 bytes in properties when I click properties directly via Task manager? My PC is Win 7 SP1 Ultimate with simplix up-to-date + latest Malwarebytes Anti-Malware + Exploit installed.
Hello Can you calculate the SHA1 checksum of the svchost.exe file in the System32 folder ? (Use HashMyFiles for exemple) And post the SHA1 sum here --- Or upload the file to VirusTotal and give us the link to the report
Checksums generated by ExactFile 1.0.0.15 12/10/2016 5:45:12 PM C:\Windows\System32\svchost.exe 20992 bytes ADLER32: 37e8408c CRC32: 4b0eaf31 MD2: 2a732a0ba3dd218a2f5a8a204ee690cf MD4: be3f2a22b071e3db991337117c2faef0 MD5: 54a47f6b5e09a77e61649109c6a08866 SHA1: 4af001b3c3816b860660cf2de2c0fd3c1dfb4878 SHA256: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2 SHA384: bcf15767e0ea5fee505b7cd724dfa9f6d0cd68d5b7a9a1c0d60cafd105ebc71f686233a70e0ea0b9373e3d0cd8b217d9 SHA512: 88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419 RIPEMD128: 378f4f676a9a866d2553cb2cc27b01ee RIPEMD160: d803f83d339b1312e7ec3cc3cfdd195c03f510bb TIGER128: 5c4d02380ec008518cc2130457f7819f TIGER160: 5c4d02380ec008518cc2130457f7819f6531b48b TIGER192: 5c4d02380ec008518cc2130457f7819f6531b48b8ec30490 GOST: ee946bd68c88e84ea376fbf26a0ab1a54a55717343d4cfd38fc1c3ffc854a6f0 edit: all files running show 0 bytes when I open via Task manager>properties>file details, I din't originally checked for other files yesterday since I thought it has something to do with OS files. Here's my Task manager verify hashes Checksums generated by ExactFile 1.0.0.15 12/10/2016 6:24:32 PM C:\Windows\System32\taskmgr.exe 227328 bytes ADLER32: 8eaab9fd CRC32: 862c12d5 MD2: 9c766578327917ac44060313dc0afd86 MD4: f2a21830ef69b2baa42ed8c80d8f400b MD5: 545bf7eaa24a9e062857d0742ec0b28a SHA1: d748d5b325e5dd4fadeb837a59f61e55d2636d31 SHA256: 50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf SHA384: 832e32d0a91ed59d3618f25e9f45de2265690e1f1943f9dd4fd5aee17d2d6b3ec1eb66380ca982450985b2c9494d8b9c SHA512: b132a23f443a75deb7bd10415efb871524b63860b2eb30a198dea2f7e67a1fa3bcdc5344dc98f306c8b93452329d6422d5264c1d64a403abeaf7db1662980f1a RIPEMD128: eb3dbfb02f829f54a7a28beedde214ca RIPEMD160: f5c86de6c3f1dd3b94a919724829f8837f3c1aae TIGER128: e5d1be0f459ab87ed78bd296fccf5582 TIGER160: e5d1be0f459ab87ed78bd296fccf5582f177ca4e TIGER192: e5d1be0f459ab87ed78bd296fccf5582f177ca4ed6133198 GOST: a9cfd40389a6b7244fbf7db92b9450c2f055d4396171bc0082e6448de9af96a0
Booted into safe mode & ran as administrator, I got nothing with DarkCometRemover. Here's my RogueKiller log RogueKiller V12.8.4.0 [Dec 5 2016] (Free) by Adlice Software Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Safe mode User : compaq [Administrator] Started from : E:\Downloads\Programs\RogueKiller.exe Mode : Delete -- Date : 12/10/2016 21:59:42 (Duration : 00:14:53) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 6 ¤¤¤ [Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{cacd3178-4c86-52cb-87bf-eb0ef10e6e26} (C:\Users\compaq\AppData\Roaming\JPL-NASA-Caltech\NASA's Eyes\npNASAEyes.dll) -> Deleted [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DF269D74-5AE1-4915-A41B-806027A0A815} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE|Name=LogiOptionsMgr.EXE|Desc=LogiOptionsMgr.EXE| [7] -> Deleted [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DF269D74-5AE1-4915-A41B-806027A0A815} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE|Name=LogiOptionsMgr.EXE|Desc=LogiOptionsMgr.EXE| [7] -> Deleted [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Replaced (2) [PUM.StartMenu] HKEY_USERS\S-1-5-21-4247704052-1317690640-1364796352-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Replaced (1) [PUM.StartMenu] HKEY_USERS\S-1-5-21-4247704052-1317690640-1364796352-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Replaced (1) ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: TOSHIBA DT01ACA200 ATA Device +++++ --- User --- [MBR] 348a123da8cac430ae71cb08cd5b1848 [BSP] a8c1f2d06ea7412209ccd8594377808c : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 107628 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 220628992 | Size: 899999 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2063826944 | Size: 900000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK Currently downloading Windows 7 SP1 Media Refresh ISO from Daz's thread.
So RogueKiller will ID the presence of DarkComet. Then it seems prudent to run it and see what it says. Its outcome will determine the next step right? Is MBAM capable of determining the presence of DarkComet and removing it? I'm confused, which program, or programs, are you recommending to detect and remove DarkComet: RogueKiller or MBAM or both maybe?
Both are supposed to detect it (the RogueKiller developer now works for Malwarebytes) but RogueKiller is more powerful in its tasks For what I've seen in the RogueKiller report, no files related with any "malicious" threats. Which seems strange. Why svchost.exe changed ? Why it lost it signature ? But why it isn't detected ? I need to do further researches on this. So, Micchan , keep the ISO safe somewhere until changes
Download Autoruns and check checksums for all files there and scan them .. ( virus total ) looks like Your PC is infected so badly .. Download and run Hitman Pro ( Optionally )
The checksums of svchost.exe and taskmgr.exe are perfectly right! Showing 0 bytes indicates manipulation of filesystem/fileinfo (metadata)...not the data themselves svchost version: 6.1.7600.16385 taskmgr.exe: 6.1.7601.17514
Hi, Micchan here. Sorry for the late reply, was away for Christmas holidays Currently up-to-date with Simplix Dec + .NET 4.6.2 update. NetBiOS & other network sharing shenanigans + bad services disabled + decided to set network to public for additional security Ran combofix after a fresh re-install from SP1Media-U Here's log ComboFix 17-01-04.01 - Satoshi80 01/04/2017 22:16:24.1.2 - x86 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2037.1489 [GMT 5.5:30] Running from: c:\users\Satoshi80\Desktop\m9fnx0.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2016-12-04 to 2017-01-04 ))))))))))))))))))))))))))))))) . . 2017-01-05 05:53 . 2017-01-04 16:29--------d-----w-c:\windows\Panther 2017-01-04 16:48 . 2017-01-04 16:48--------d-----w-c:\users\Default\AppData\Local\temp 2017-01-04 16:29 . 2017-01-04 16:29--------d-----w-c:\users\Satoshi80 2017-01-04 16:29 . 2017-01-04 16:29--------d-----w-C:\Recovery . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184] R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 53552043 *Deregistered* - 53552043 . - - - - ORPHANS REMOVED - - - - . SafeBoot-53552043.sys . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2017-01-04 22:19:45 ComboFix-quarantined-files.txt 2017-01-04 16:49 . Pre-Run: 103,210,217,472 bytes free Post-Run: 103,137,792,000 bytes free . - - End Of File - - 616CE89F4BB9B44B8C5C663591A4DB46 A36C5E4F47E84449FF07ED3517B43A31 GMER GMER 2.2.19882 Rootkit scan 2017-01-06 15:46:13 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-3 TOSHIBA_DT01ACA200 rev.MX4OABB0 1863.02GB Running: mfdg7dt.exe; Driver: C:\Users\SATOSH~1\AppData\Local\Temp\kwldauog.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 82A75F05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB0292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} judging from CF registry loading points, most seem to be related to RDP? oh & I forgot there were (rogue?) dhcp severs which zhp removed ~ ZHPCleaner v2017.1.2.1 by Nicolas Coolman (2017/01/02) ~ Run by Satoshi80 (Administrator) (04/01/2017 22:06:25) ~ Web: ~ Blog: ~ Facebook : ~ State version : ~ Type : Repair ~ Report : C:\Users\Satoshi80\Desktop\ZHPCleaner.txt ~ Quarantine : C:\Users\Satoshi80\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt ~ UAC : Activate ~ Boot Mode : Normal (Normal boot) Windows 7 Ultimate, 32-bit Service Pack 1 (Build 7601) ---\\ Services (0) ~ No malicious or unnecessary items found. ---\\ Browser internet (0) ~ No malicious or unnecessary items found. ---\\ Hosts file (1) ~ The hosts file is legitimate (21) ---\\ Scheduled automatic tasks. (0) ~ No malicious or unnecessary items found. ---\\ Explorer ( File, Folder) (0) ~ No malicious or unnecessary items found. ---\\ Registry ( Key, Value, Data) (1) DELETED data: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer [Bad : 172.31.79.142 172.31.79.144 157.54.104.75 157.54.14.146 157.54.14.162 157.54.80.10] =>Hijacker.Browser ---\\ Summary of the elements found (1) =>Hijacker.Browser ---\\ Other deletions. (4) ~ Registry Keys Tracing deleted (4) ~ Remove the old reports ZHPCleaner. (0) ---\\ Result of repair ~ Repair carried out successfully ~ Browser not found (Google Chrome) ~ Browser not found (Mozilla Firefox) ~ Browser not found (Opera Software) ---\\ Statistics ~ Items scanned : 200 ~ Items found : 0 ~ Items cancelled : 0 ~ Items repaired : 1 ~ End of clean in 00h00mn05s ~==================== ZHPCleaner-[R]-04012017-22_06_30.txt ZHPCleaner--04012017-22_05_46.txt
just to make sure ..u could run sfc /scannow from usb boot command prompt with /offbootdir and /offwindir then maybe run windows repair portable in safemode with net.