pejomo 0 Posted November 5, 2013 Posted November 5, 2013 Anyone else had a trojan warning found in memory with advanced memory scanner? It relates to c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe. Its on win 8.1 64 bit so disabled framework in "program and features" then enabled it again, but still there was warning for Framework\v2.0.50727\RegSvcs.exe. Online scanners was used eset and housecall + malwarebytes and nothing was found. Still eset reports a trojan dropper in RegSvcs.exe
Administrators Marcos 5,462 Posted November 5, 2013 Administrators Posted November 5, 2013 It looks like the malware is injected in that process. Does running a full disk scan using the signature db 9007 find the malware on the disk?
ESET Insiders PodrskaNORT 17 Posted November 5, 2013 ESET Insiders Posted November 5, 2013 Here is FileAlyzer 2.x info about that file on my disk. Maybe you can compare: filename: RegSvcs.exe filepath: C:\windows\Microsoft.NET\Framework\v2.0.50727\ filesize: 32768 timestamp[file]: 2010-11-21 03:23:56 timestampraw[file]: 3D751AFC age[file]: 1080 attribs: A+D-H-L-R-S- attribs: A+ attribs: D-H-L-R-S- filetype: PE crc32: C92CDC1B md5: D79F070423FDD3F01CE8C2BA3FBBC8ED sha1: 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8 crc32[file]: C92CDC1B md5[file]: D79F070423FDD3F01CE8C2BA3FBBC8ED sha1[file]: 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8
Arakasi 549 Posted November 5, 2013 Posted November 5, 2013 Just have to compare the hash or md5. If different you should get that file from another box and replace it.
pejomo 0 Posted November 5, 2013 Author Posted November 5, 2013 The RegSvcs.exe does not match the one posted here, so tested one from another fresh virtual image and its the same crc32, md5 and sha match. Tried eset and those online scanners available and it finds nothing.
Veremo 6 Posted November 7, 2013 Posted November 7, 2013 You can check your RegSvcs.exe with VirusTotal but this is unlikely malicious. Log form SysInspector and/or Sysinternals Autoruns could tell more.
Administrators Marcos 5,462 Posted November 7, 2013 Administrators Posted November 7, 2013 We still don't know what exactly was detected. Please post the complete record from your threat log here. Note that ESET didn't detect the file RegSvcs.exe but malware which is injected in this process. File with sha1 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8 cannot be detected because it's been whitelisted for a long time.
Recommended Posts