Malware or virus which appears to be undetectable??

Deek

Member
Joined
Apr 9, 2013
Posts
152
Location
Sacramento, Ca
Hey gents and ladies,

XP x64

I have what appears to be a legit service (unconfirmed) in XP x64 called "Wireless configuration" (WZCSVC)
Description:
"Enables automatic configuration for IEEE 802.11 adapters. If this service is stopped, automatic configuration will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."

Path to EXE:
C:\WINDOWS\System32\svchost.exe -k netsvcs

When running I have a svchost that tries talking to 221.237.152.171

which resolves to 171.152.237.221.broad.cd.sc.dynamic.163data.com.cn (CHINA)

I was able to block it at my firewall (Comodo) and I disabled the service to stop the activity. I also scanned my machine with Malwarebytes, Avast boot scan, and Eset online scanner....all of which found nothing.

SFC is also clean

svchost.exe is clean according to virustotal

So my question:

I am assuming this is some sort of zero day thing that aren't in any signature databases yet, how would I find the hooks in to the bad file and eliminate this possible threat. I have to believe it's a real issue since there is no reason for my machine to be talking to a dynamic IP in china.

Thanks in advance, Deek
 
Hi, Deek.

If you look at the latest report at IP Info: 221.237.152.171 - Internet Security | SANS ISC and review the latest report/TCP/UDP Port Activity, I agree I would not want to be accessing that domain. If you'll post the logs requested in the Malware Removal Posting Instructions topic, we can take a closer look to see if anything suspicious shows.

DDS.com won't run on XP x64 and this is all I got from "securitycheck"...Have any other ideas? (FYI - I don't use IE and I do use Comodo for my firewall)

Results of screen317's Security Check version 0.99.79
Windows XP x64
Out of date service pack!!
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Malwarebytes Anti-Malware version 1.75.0.1300
HijackThis 2.0.2
Java 7 Update 45
Java version out of Date!
Adobe Flash Player 12.0.0.44
Adobe Reader 10.1.7 Adobe Reader out of Date!
Mozilla Firefox (26.0)
Mozilla Thunderbird (24.3.0)
Google Chrome 32.0.1700.102
Google Chrome 32.0.1700.107
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Agnitum Outpost Firewall Pro acs.exe
Agnitum Outpost Firewall Pro op_mon.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````
 
Strange. Let's see what OTL shows.

Please download OTL by Old Timer. Save it to your Desktop.
  • Right click on OTL.exe select "Run As Administrator" to run it. If prompted by UAC, please allow it.
  • Click the Scan All Users checkbox.
    Leave the remaining selections to the default settings.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened, maximized
    • Extras.txt <-- Will be minimized on task bar.
  • Please post the contents of both OTL.txt and Extras.txt files in your next reply.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top