svchost: corrupted/injected modules?

Discussion in 'other security issues & news' started by learningcurve, May 20, 2013.

Thread Status:
Not open for further replies.
  1. learningcurve

    learningcurve Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    47
    Location:
    usa
    Hi,

    Has anyone seen this before?

    Svchost (local service network restricted: dhcp, sec center, win audio, events) upon a soft reboot immediately after surfing, loaded files from

    system32\en-US\*.mui (s)
    system32\drivers

    The drivers were all "relocated dlls" of services/functions related to remote connections, and many already disabled on my system:

    RDP (terminal svcs)
    nwifi.sys
    wwansvc.sys
    vhdmp.sys
    vdrvroot.sys
    disk.sys
    http.sys
    cttune.exe
    (and many more)


    This appeared for duration 30 minutes after soft boot, then suddenly disappeared, replacing suspect files with more normal dlls from correct system32 folder. Memory resident? I was able to get 2/3 of files in screenshots, but not all.

    Scanned comp Htmnpro, MBam, *nothing* is ever found even with KRD and Avira Rescue. Firewall w/ hips did not alert on any of this.

    sample screenshots:
     

    Attached Files:

    Last edited: May 20, 2013
Loading...
Thread Status:
Not open for further replies.