pinky 1 Posted March 25, 2015 Share Posted March 25, 2015 Hi, I installed on one of our Win7 x64 company PCs and immediately an infection has been detected. ESET continuously repoerts Wigon.PI trojan to be detected in svchost.exe, cleaning it, yet the message comes back every second as new process is started. I checked running processes using ProcessExplorer and see there are numerous C:\Windows\SysWOW64\svchost.exe running. Checking the hash of these svchosts.exe at virustotal.com reveals no suspicion, the file is signed and appears to be authentic. However this does not look like a regular service host, I can't see any dlls it would be running. I tried to kill all processes but withing short time new are started. There is a suspicios zomtuxitbogy.exe set in autostart as well as regedit.exe, both disabled in msconfig now. Apparently ESET is unable to find the root cause of the installation while it detects attempts to run malicious process and stop it. Any ideas how to further investigate and clean in full? Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,406 Posted March 25, 2015 Administrators Solution Share Posted March 25, 2015 Let us know if scanning the file zomtuxitbogy.exe or the whole disk with signature database 11377 (should be available within an hour) detects the malware. Should the problem persist, we'll need to get logs and possibly a dump of svchost process in which the malware was detected for further analysis. Also make sure that you have Endpoint v5 or v6 installed and Live Grid enabled. Link to comment Share on other sites More sharing options...
yongsua 16 Posted March 26, 2015 Share Posted March 26, 2015 I would also suggest that you perform a full scan in safe mode and see if ESET is able to find and clean any traces of that malware. Link to comment Share on other sites More sharing options...
pinky 1 Posted March 26, 2015 Author Share Posted March 26, 2015 (edited) Spend a good 6 hrs with this machien yesterday but all seemed to be resolved thsi morning. We run Endpoint5 and all clients have LiveGrid enabled. A new scan just running highlights two infections from PUP found again. After disabling the autostart programs I could run MS FixIt to be able to activate windows firewall - this has been turned off and unable to turn-on with error 80070422. Ther has been many updates missing and Wupdate was running so I started patching the system while running another full system scan. Not sure what was the definition file at that time, yes there were another type of infection detected. These were Win32/Wigon.OV, Win32/SPAM.Tool.Mailbot.NAH trojan - both in svchost.exe process and one SecurityDisabler in useer.js javascript on the local drive. The javascritp was in %appdata%\Mozilla folder, starnge enough there was no mozilla installed on this machine. The zumtoxitbgy.exe I have suspected initially was not detected as infected during this and none of consequent scans. Nevertheless I left this disabled in autostart. I still think about where from were the attempts to start new infected svchost processes initiated. Did not see anything suspicious in the Task Scheduler, neither among running processes (all processes from signed vendors, all negative on VirusTotal check)... I did not figure out yet how how to get details of svchost started in SysWOW64 .. will do a bit research on this as I know hwo to check what a regilar svchost is related to, and thsi WOW64 approach has catched me unprepared this time. Several reboots and patching, full scan reveals no further infection and PC appears to behave normally, yet the two new detections after clean scan yesterday make me think there is still something not quite right. The existing services running are: Görüntü Adı pid Hizmetler ========================= ======== ============================================ svchost.exe 980 DcomLaunch, PlugPlay, Power svchost.exe 308 RpcEptMapper, RpcSs svchost.exe 624 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc svchost.exe 668 AudioEndpointBuilder, CscService, hidserv, IPBusEnum, Netman, PcaSvc, SysMain, TrkWks, UxSms, WdiSystemHost, Wlansvc, WPDBusEnum, wudfsvc svchost.exe 516 EventSystem, fdPHost, FontCache, netprofm, nsi, WdiServiceHost, WinHttpAutoProxySvc svchost.exe 924 BITS, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, Schedule, seclogon, ShellHWDetection, Themes, Winmgmt, wuauserv svchost.exe 1304 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc svchost.exe 1400 BFE, DPS, MpsSvc, WwanSvc svchost.exe 2616 bthserv svchost.exe 3100 RapiMgr, WcesComm svchost.exe 3912 SSDPSRV, upnphost svchost.exe 3268 WinDefend Edited March 26, 2015 by pinky Link to comment Share on other sites More sharing options...
pinky 1 Posted March 26, 2015 Author Share Posted March 26, 2015 Some more updates picked from WUPDATE today, after two latest PUP infections cleaned, no new detected and system appears to run okay. SOLVED Link to comment Share on other sites More sharing options...
Recommended Posts