Jump to content

Recommended Posts

Posted

Anyone else had a trojan warning found in memory with advanced memory scanner?

It relates to c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe.   Its on win 8.1 64 bit so disabled framework in "program and features" then enabled it again, but still there was warning for Framework\v2.0.50727\RegSvcs.exe.

 

Online scanners was used eset and housecall + malwarebytes and nothing was found. Still eset reports a trojan dropper in RegSvcs.exe

  • Administrators
Posted

It looks like the malware is injected in that process. Does running a full disk scan using the signature db 9007 find the malware on the disk?

  • ESET Insiders
Posted

Here is FileAlyzer 2.x info about that file on my disk. Maybe you can compare:

 

            filename: RegSvcs.exe
            filepath: C:\windows\Microsoft.NET\Framework\v2.0.50727\
            filesize: 32768
     timestamp[file]: 2010-11-21 03:23:56
  timestampraw[file]: 3D751AFC
           age[file]: 1080
             attribs: A+D-H-L-R-S-
             attribs: A+
             attribs: D-H-L-R-S-
            filetype: PE
               crc32: C92CDC1B
                 md5: D79F070423FDD3F01CE8C2BA3FBBC8ED
                sha1: 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8
         crc32[file]: C92CDC1B
           md5[file]: D79F070423FDD3F01CE8C2BA3FBBC8ED
          sha1[file]: 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8

 

Posted

Just have to compare the hash or md5.

If different you should get that file from another box and replace it.

Posted

The RegSvcs.exe does not match the one posted here, so tested one from another fresh virtual image and its the same 

crc32, md5 and sha match. Tried eset and those online scanners available and it finds nothing.

Posted

You can check your RegSvcs.exe with VirusTotal but this is unlikely malicious.

Log form SysInspector and/or Sysinternals Autoruns could tell more.

  • Administrators
Posted

We still don't know what exactly was detected. Please post the complete record from your threat log here. Note that ESET didn't detect the file RegSvcs.exe but malware which is injected in this process. File with sha1 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8 cannot be detected because it's been whitelisted for a long time.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...