Author Topic: Trouble Understanding Service Infections (MalPE Variations)  (Read 5990 times)

0 Members and 2 Guests are viewing this topic.

June 02, 2017, 11:16:32 PM

prints

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Hello,
 I am pretty good about keeping my machines clean, and usually don't have any problems. Recently I ran a scan with RogueKiller and it returned several Services/Processes it says are infected with multiple different series' of a trojan it reports as MalPE. I have 2 machines that seem to have infected services. One is a Windows 10 Pro x64 laptop, and the other is a Windows 8 Pro x64 laptop. I reinstalled Virtualbox on both machines, the video card drivers on the w10 machine, as well as all Windows updates.

The Windows 8 machine is the only 1 of the two machines that seems to be showing any symptoms (Very slow, and this happened in the past week or so - the original system files I had scanned were dated back to 2015 as far as creation/modification).

Since the W8 machine is showing the most symptoms, I started into safe mode - which went very quickly as opposed to the normal system start. I re-ran RogueKiller, but it couldn't find any infected files. I also ran scans with several different av/malware programs to no avail (I assume because the detected items are services and nothing is loaded in safe mode). I also ran checks on a few of the specific .sys files from both machines on VirusTotal and no infections were found in the files themselves. I checked the recovery partitions and such for hidden sources, but I didn't find anything odd.

The only thing I can think of that I have installed that would 'hook' into anything would be Zemana AntiLogger, which I'm sure is known as an anti-keylogger program. I'm not sure if it uses Appinit-dll, but that would be the only program I know of on both machines that could be causing something. It's like there are viruses, but only when the system is fully running.

It's funny, because it reminds me slightly of a property of quantum physics, where the observer creates the observed event. But I digress... Below are the readings from the logfiles of the RogueKiller scans on both machines in normal mode. I couldn't really find any relevant information on services infections of MalPE or the numbers after the detections, but from what I understand, MalPE is usually considered or caught at the file level as 'Bloodhound.MalPE', and also that MalPE itself could cover a wide variety of trojans of a certain character (I can't remember what the exact description is at the moment).

I thought I'd start here with assistance, since RogueKiller is the only program that is detecting these. There is definitely something wrong with the Win8 machine, but it's an older install - so it could be unrelated or hardware. Any help is much appreciated! Thanks!

-JP

Win10 Machine:

[MalPE.52] (SVC) amdkmdag -- \SystemRoot\system32\DRIVERS\atikmdag.sys[7] -> Found
[MalPE.26] (SVC) AmdPPM -- \SystemRoot\System32\drivers\amdppm.sys[-] -> Found
[MalPE.32] (SVC) bowser -- system32\DRIVERS\bowser.sys[-] -> Found
[MalPE.26] (SVC) luafv -- \SystemRoot\system32\drivers\luafv.sys[-] -> Found
[MalPE.32] (SVC) mrxsmb -- system32\DRIVERS\mrxsmb.sys[7] -> Found
[MalPE.27] (SVC) mshidkmdf -- \SystemRoot\System32\drivers\mshidkmdf.sys[-] -> Found
[MalPE.30] (SVC) VBoxDrv -- \SystemRoot\system32\DRIVERS\VBoxDrv.sys[7] -> Found
[MalPE.32] (SVC) VBoxNetLwf -- \SystemRoot\system32\DRIVERS\VBoxNetLwf.sys[7] -> Found
[MalPE.32] (SVC) VBoxUSBMon -- \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys[7] -> Found

Win8 Machine:

[MalPE.29] (SVC) bowser -- system32\DRIVERS\bowser.sys[-] -> Found
[MalPE.33] (SVC) HTTP -- system32\drivers\HTTP.sys[-] -> Found
[MalPE.51] (SVC) mrxsmb -- system32\DRIVERS\mrxsmb.sys[-] -> Found
[MalPE.27] (SVC) Psched -- \SystemRoot\system32\DRIVERS\pacer.sys[-] -> Found
[MalPE.31] (SVC) srv2 -- System32\DRIVERS\srv2.sys[-] -> Found
[MalPE.30] (SVC) VBoxDrv -- \SystemRoot\system32\DRIVERS\VBoxDrv.sys[7] -> Found
[MalPE.30] (SVC) VBoxUSBMon -- \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys[7] -> Found
[MalPE.27] (SVC) vmbusr -- \SystemRoot\System32\drivers\vmbusr.sys[-] -> Found

Reply #1June 02, 2017, 11:40:01 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Trouble Understanding Service Infections (MalPE Variations)
« Reply #1 on: June 02, 2017, 11:40:01 PM »
Hi prints,

Thanks for supporting our product and welcome to Adlice.com forum.

A bug was spotted that triggers false positives when using MalPE analysis. This will be fixed on RogueKiller next release.
I advice you to disabled it for the time being.

Regards.

Reply #2June 03, 2017, 03:27:03 AM

prints

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: Trouble Understanding Service Infections (MalPE Variations)
« Reply #2 on: June 03, 2017, 03:27:03 AM »
Hi prints,

Thanks for supporting our product and welcome to Adlice.com forum.

A bug was spotted that triggers false positives when using MalPE analysis. This will be fixed on RogueKiller next release.
I advice you to disabled it for the time being.

Regards.

Hi Curson, thanks for the warm welcome! I am using the free version, so I figured the MalPE module wasn't technically active. Or if it is, I'm not able to disable it. I'm not sure the case. Anyhow, after extended analysis of my systems - I can't find these source of these reported hijacked services. I just want to make sure that there's something horribly wrong. Would this bug still be the cause in this case?

Thanks, I appreciate the response - and thanks for helping with RogueKiller. I have to say, MalwareBytes used to be my goto for spot scanning. Now I've been using RK. I'd rather have an AV be overly thorough than not thorough enough ;)

-JP

Reply #3June 03, 2017, 02:26:46 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Trouble Understanding Service Infections (MalPE Variations)
« Reply #3 on: June 03, 2017, 02:26:46 PM »
Hi prints,

MalPE engine shouldn't be enabled in free version, this looks like another bug.
Could you please attach RogueKiller JSON report with your next reply ?

No, there is nothing wrong on your system.
Thanks for the kind words. :)

Regards.