Odd service running on crippled Win7 PC

Discussion in 'malware problems & news' started by Veazer, May 3, 2011.

Thread Status:
Not open for further replies.
  1. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    A student contacted me today because he was unable to boot into Windows (Win7 x86). Safe mode works fine, but if he does a normal boot the screen goes black but he can still hear things going on, startup sounds etc.

    I connected to his pc remotely in safe mode with networking and did a full scan with Malwarebytes AM and found nothing at all. i started manually sifting through startup apps and services and found 1 service that looked unusual with a presumably randomly assigned name of znfxpymewoxg.exe. The service has no description whatsoever as is set to Automatic. I removed the file (keeping a copy for myself) and had him reboot, still nothing. I send the file to virustotal which had no matching hash for the file on record and resulted 0 positives.

    The file metadata just contains names like 'helper.exe', 'helper' and claims it is Copyright 2007.

    I ran it in a VM and watched it with ProcessMonitor, see attached .csv if you're interested.

    Any thoughts?
     

    Attached Files:

  2. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    Interesting, scanned it a second time just 90 minutes later and now PrevX doesn't like it:

    File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

    MD5: 240eaadab265eeb7085e448bc8d5e41d
    Date first seen: 2011-05-03 12:59:32 (UTC)
    Date last seen: 2011-05-03 12:59:32 (UTC)
    Detection ratio: 0/41
    What do you wish to do?

    Reanalyse! ---> Results:

    File name: znfxpymewoxg.exe.virus!
    Submission date: 2011-05-03 14:36:37 (UTC)
    Current status: finished
    Result: 1/ 41 (2.4%)

    Prevx 3.0 2011.05.03 Medium Risk Malware


    LINKS:
    First report: http://www.virustotal.com/file-scan/report.html?id=2ba5d2c42acbda17a379fbeb2c25438e37625a20976ce0b59e5772a9e3aaeeb3-1304427572
    Second: http://www.virustotal.com/file-scan/report.html?id=2ba5d2c42acbda17a379fbeb2c25438e37625a20976ce0b59e5772a9e3aaeeb3-1304435314
     
  3. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Could be Microsofts own rootkit revealer. It runs as a service and the name is randomly assigned.

    I've come across it a few times and thought it was a virus.
     
  4. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    BTW, is this Win 7 an upgrade from XP ?. Going by your text file, it was created in 4/14/2008, so it's been active a long while. I would still guess this is rootkit revealer
     
  5. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    Considered that, but MS RR is much larger, has an icon, runs from a temp folder, and uses a lowercase filename iirc

    Owner says it was a fresh install 3 days ago. System crapped out with same symptoms and he took it to a shop for a re-install. Lasted a couple of days and then it happened again and he had me look at it. HD is partitioned Windows/Userdata/Userdata so if it is a virus he likely re-executed it.

    EDIT: re-wording for clarity
     
    Last edited: May 3, 2011
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    Do a scan with Hitman Pro and Avira Rescue CD. You can also try SUPERAntiSpyware and Norton Power Eraser as well.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.