Spend a good 6 hrs with this machien yesterday but all seemed to be resolved thsi morning. We run Endpoint5 and all clients have LiveGrid enabled.
A new scan just running highlights two infections from PUP found again.
After disabling the autostart programs I could run MS FixIt to be able to activate windows firewall - this has been turned off and unable to turn-on with error 80070422.
Ther has been many updates missing and Wupdate was running so I started patching the system while running another full system scan. Not sure what was the definition file at that time, yes there were another type of infection detected.
These were Win32/Wigon.OV, Win32/SPAM.Tool.Mailbot.NAH trojan - both in svchost.exe process and one SecurityDisabler in useer.js javascript on the local drive. The javascritp was in %appdata%\Mozilla folder, starnge enough there was no mozilla installed on this machine.
The zumtoxitbgy.exe I have suspected initially was not detected as infected during this and none of consequent scans. Nevertheless I left this disabled in autostart.
I still think about where from were the attempts to start new infected svchost processes initiated. Did not see anything suspicious in the Task Scheduler, neither among running processes (all processes from signed vendors, all negative on VirusTotal check)... I did not figure out yet how how to get details of svchost started in SysWOW64 .. will do a bit research on this as I know hwo to check what a regilar svchost is related to, and thsi WOW64 approach has catched me unprepared this time.
Several reboots and patching, full scan reveals no further infection and PC appears to behave normally, yet the two new detections after clean scan yesterday make me think there is still something not quite right.
The existing services running are:
Görüntü Adı pid Hizmetler
========================= ======== ============================================
svchost.exe 980 DcomLaunch, PlugPlay, Power
svchost.exe 308 RpcEptMapper, RpcSs
svchost.exe 624 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe 668 AudioEndpointBuilder, CscService, hidserv,
IPBusEnum, Netman, PcaSvc, SysMain, TrkWks,
UxSms, WdiSystemHost, Wlansvc, WPDBusEnum,
wudfsvc
svchost.exe 516 EventSystem, fdPHost, FontCache, netprofm,
nsi, WdiServiceHost, WinHttpAutoProxySvc
svchost.exe 924 BITS, EapHost, gpsvc, IKEEXT, iphlpsvc,
LanmanServer, MMCSS, ProfSvc, Schedule,
seclogon, ShellHWDetection, Themes,
Winmgmt, wuauserv
svchost.exe 1304 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
svchost.exe 1400 BFE, DPS, MpsSvc, WwanSvc
svchost.exe 2616 bthserv
svchost.exe 3100 RapiMgr, WcesComm
svchost.exe 3912 SSDPSRV, upnphost
svchost.exe 3268 WinDefend