Variant of Win32/Wigon.PI detected, unable to clean

[pinky 1]

Hi,

I installed on one of our Win7 x64 company PCs and immediately an infection has been detected. ESET continuously repoerts Wigon.PI trojan to be detected in svchost.exe, cleaning it, yet the message comes back every second as new process is started.

I checked running processes using ProcessExplorer and see there are numerous C:\Windows\SysWOW64\svchost.exe running.

 

Checking the hash of these svchosts.exe at virustotal.com reveals no suspicion, the file is signed and appears to be authentic. However this does not look like a regular service host, I can't see any dlls it would be running.

 

 

I tried to kill all processes but withing short time new are started.

 

There is a suspicios zomtuxitbogy.exe set in autostart as well as regedit.exe, both disabled in msconfig now.

 

Apparently ESET is unable to find the root cause of the installation while it detects attempts to run malicious process and stop it. 

 

Any ideas how to further investigate and clean in full?

 

 

[Marcos 5,074]

Let us know if scanning the file zomtuxitbogy.exe or the whole disk with signature database 11377 (should be available within an hour) detects the malware. Should the problem persist, we'll need to get logs and possibly a dump of svchost process in which the malware was detected for further analysis.

 

Also make sure that you have Endpoint v5 or v6 installed and Live Grid enabled.

[yongsua 16]

I would also suggest that you perform a full scan in safe mode and see if ESET is able to find and clean any traces of that malware.

[pinky 1]

Spend a good 6 hrs with this machien yesterday but all seemed to be resolved thsi morning. We run Endpoint5 and all clients have LiveGrid enabled.

A new scan just running highlights two infections from PUP found again.

 

After disabling the autostart programs I could run MS FixIt to be able to activate windows firewall - this has been turned off and unable to turn-on with error 80070422. 

 

Ther has been many updates missing and Wupdate was running so I started patching the system while running another full system scan. Not sure what was the definition file at that time, yes there were another type of infection detected.

These were Win32/Wigon.OV, Win32/SPAM.Tool.Mailbot.NAH trojan - both in svchost.exe process and one SecurityDisabler in useer.js javascript on the local drive. The javascritp was in %appdata%\Mozilla folder, starnge enough there was no mozilla installed on this machine.

The zumtoxitbgy.exe I have suspected initially was not detected as infected during this and none of consequent scans. Nevertheless I left this disabled in autostart.

 

I still think about where from were the attempts to start new infected svchost processes initiated. Did not see anything suspicious in the Task Scheduler, neither among running processes (all processes from signed vendors, all negative on VirusTotal check)... I did not figure out yet how how to get details of svchost started in SysWOW64 .. will do a bit research on this as I know hwo to check what a regilar svchost is related to, and thsi WOW64 approach has catched me unprepared this time.

 

Several reboots and patching, full scan reveals no further infection and PC appears to behave normally, yet the two new detections after clean scan yesterday make me think there is still something not quite right.

 

The existing services running are:

Görüntü Adı                    pid Hizmetler
========================= ======== ============================================
svchost.exe                    980 DcomLaunch, PlugPlay, Power
svchost.exe                    308 RpcEptMapper, RpcSs
svchost.exe                    624 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe                    668 AudioEndpointBuilder, CscService, hidserv,
                                   IPBusEnum, Netman, PcaSvc, SysMain, TrkWks,
                                   UxSms, WdiSystemHost, Wlansvc, WPDBusEnum,
                                   wudfsvc
svchost.exe                    516 EventSystem, fdPHost, FontCache, netprofm,
                                   nsi, WdiServiceHost, WinHttpAutoProxySvc
svchost.exe                    924 BITS, EapHost, gpsvc, IKEEXT, iphlpsvc,
                                   LanmanServer, MMCSS, ProfSvc, Schedule,
                                   seclogon, ShellHWDetection, Themes,
                                   Winmgmt, wuauserv
svchost.exe                   1304 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc
svchost.exe                   1400 BFE, DPS, MpsSvc, WwanSvc
svchost.exe                   2616 bthserv
svchost.exe                   3100 RapiMgr, WcesComm
svchost.exe                   3912 SSDPSRV, upnphost
svchost.exe                   3268 WinDefend

Edited March 26, 2015 by pinky

[pinky 1]

Some more updates picked from WUPDATE today, after two latest PUP infections cleaned, no new detected and system appears to run okay.

 

SOLVED