pejomo 0 Posted November 5, 2013 Share Posted November 5, 2013 Anyone else had a trojan warning found in memory with advanced memory scanner? It relates to c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe. Its on win 8.1 64 bit so disabled framework in "program and features" then enabled it again, but still there was warning for Framework\v2.0.50727\RegSvcs.exe. Online scanners was used eset and housecall + malwarebytes and nothing was found. Still eset reports a trojan dropper in RegSvcs.exe Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted November 5, 2013 Administrators Share Posted November 5, 2013 It looks like the malware is injected in that process. Does running a full disk scan using the signature db 9007 find the malware on the disk? Link to comment Share on other sites More sharing options...
ESET Insiders PodrskaNORT 17 Posted November 5, 2013 ESET Insiders Share Posted November 5, 2013 Here is FileAlyzer 2.x info about that file on my disk. Maybe you can compare: filename: RegSvcs.exe filepath: C:\windows\Microsoft.NET\Framework\v2.0.50727\ filesize: 32768 timestamp[file]: 2010-11-21 03:23:56 timestampraw[file]: 3D751AFC age[file]: 1080 attribs: A+D-H-L-R-S- attribs: A+ attribs: D-H-L-R-S- filetype: PE crc32: C92CDC1B md5: D79F070423FDD3F01CE8C2BA3FBBC8ED sha1: 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8 crc32[file]: C92CDC1B md5[file]: D79F070423FDD3F01CE8C2BA3FBBC8ED sha1[file]: 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8 Link to comment Share on other sites More sharing options...
Arakasi 549 Posted November 5, 2013 Share Posted November 5, 2013 Just have to compare the hash or md5. If different you should get that file from another box and replace it. Link to comment Share on other sites More sharing options...
pejomo 0 Posted November 5, 2013 Author Share Posted November 5, 2013 The RegSvcs.exe does not match the one posted here, so tested one from another fresh virtual image and its the same crc32, md5 and sha match. Tried eset and those online scanners available and it finds nothing. Link to comment Share on other sites More sharing options...
Veremo 6 Posted November 7, 2013 Share Posted November 7, 2013 You can check your RegSvcs.exe with VirusTotal but this is unlikely malicious. Log form SysInspector and/or Sysinternals Autoruns could tell more. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted November 7, 2013 Administrators Share Posted November 7, 2013 We still don't know what exactly was detected. Please post the complete record from your threat log here. Note that ESET didn't detect the file RegSvcs.exe but malware which is injected in this process. File with sha1 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8 cannot be detected because it's been whitelisted for a long time. Link to comment Share on other sites More sharing options...
Recommended Posts