Odd service running on crippled Win7 PC

Discussion in 'malware problems & news' started by Veazer, May 3, 2011.

Thread Status:
Not open for further replies.
  1. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    A student contacted me today because he was unable to boot into Windows (Win7 x86). Safe mode works fine, but if he does a normal boot the screen goes black but he can still hear things going on, startup sounds etc.

    I connected to his pc remotely in safe mode with networking and did a full scan with Malwarebytes AM and found nothing at all. i started manually sifting through startup apps and services and found 1 service that looked unusual with a presumably randomly assigned name of znfxpymewoxg.exe. The service has no description whatsoever as is set to Automatic. I removed the file (keeping a copy for myself) and had him reboot, still nothing. I send the file to virustotal which had no matching hash for the file on record and resulted 0 positives.

    The file metadata just contains names like 'helper.exe', 'helper' and claims it is Copyright 2007.

    I ran it in a VM and watched it with ProcessMonitor, see attached .csv if you're interested.

    Any thoughts?
     

    Attached Files:

  2. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    Interesting, scanned it a second time just 90 minutes later and now PrevX doesn't like it:

    File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

    MD5: 240eaadab265eeb7085e448bc8d5e41d
    Date first seen: 2011-05-03 12:59:32 (UTC)
    Date last seen: 2011-05-03 12:59:32 (UTC)
    Detection ratio: 0/41
    What do you wish to do?

    Reanalyse! ---> Results:

    File name: znfxpymewoxg.exe.virus!
    Submission date: 2011-05-03 14:36:37 (UTC)
    Current status: finished
    Result: 1/ 41 (2.4%)

    Prevx 3.0 2011.05.03 Medium Risk Malware


    LINKS:
    First report: http://www.virustotal.com/file-scan/report.html?id=2ba5d2c42acbda17a379fbeb2c25438e37625a20976ce0b59e5772a9e3aaeeb3-1304427572
    Second: http://www.virustotal.com/file-scan/report.html?id=2ba5d2c42acbda17a379fbeb2c25438e37625a20976ce0b59e5772a9e3aaeeb3-1304435314
     
  3. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Could be Microsofts own rootkit revealer. It runs as a service and the name is randomly assigned.

    I've come across it a few times and thought it was a virus.
     
  4. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    BTW, is this Win 7 an upgrade from XP ?. Going by your text file, it was created in 4/14/2008, so it's been active a long while. I would still guess this is rootkit revealer
     
  5. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    Considered that, but MS RR is much larger, has an icon, runs from a temp folder, and uses a lowercase filename iirc

    Owner says it was a fresh install 3 days ago. System crapped out with same symptoms and he took it to a shop for a re-install. Lasted a couple of days and then it happened again and he had me look at it. HD is partitioned Windows/Userdata/Userdata so if it is a virus he likely re-executed it.

    EDIT: re-wording for clarity
     
    Last edited: May 3, 2011
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Do a scan with Hitman Pro and Avira Rescue CD. You can also try SUPERAntiSpyware and Norton Power Eraser as well.
     
Loading...
Thread Status:
Not open for further replies.