There's "service.exe" virus that for some reason managed to add "exception" in windows defender

Discussion in 'PC Hardware, Software and Displays' started by orangpelupa, Apr 9, 2021.

  1. orangpelupa

    orangpelupa Elite Bug Hunter
    Legend Veteran

    Joined:
    Oct 14, 2008
    Messages:
    9,313
    Likes Received:
    2,579
    I dont know how. I checked the files and folders, turns out its been there since 2020 (does "Date Created" able to be faked?). Not detected by windows defender, because turns out it adds

    "Appdata/roaming" as "Exception" folder.

    fortunately it was blocked by TinyWall firewall. But i don't know what kind of data it has exfiltrated (someone on reddit says it talks to a telegram chatbot) as i only has used tinywall firewall on 2021.

    so to be safe, go check your antivirus exception folder, make sure it only listed folders that you know you've put exceptions.

    also check %USERPROFILE%\AppData\Roaming\d_temp
    and %USERPROFILE%\AppData\Roaming\

    to cleanup

    I'm also not sure how to completely remove this thing as according to right-click, properties. This thing keeps getting openened/called/run every few minutes.

    EDIT:
    it also able to silently add "exclusion folder" again into windows defender without UAC prompt!

    i think i would need to nuke this windows....
     
  2. orangpelupa

    orangpelupa Elite Bug Hunter
    Legend Veteran

    Joined:
    Oct 14, 2008
    Messages:
    9,313
    Likes Received:
    2,579
  3. orangpelupa

    orangpelupa Elite Bug Hunter
    Legend Veteran

    Joined:
    Oct 14, 2008
    Messages:
    9,313
    Likes Received:
    2,579
    only detected as virus by 3 antivirus! upload_2021-4-9_20-31-53.png
     
  4. Davros

    Legend

    Joined:
    Jun 7, 2004
    Messages:
    16,813
    Likes Received:
    4,114
    I use AVG but I dont have anything added to the exclude list
     
    orangpelupa likes this.
  5. Davros

    Legend

    Joined:
    Jun 7, 2004
    Messages:
    16,813
    Likes Received:
    4,114
    to see whats launching it try task scheduler and process explorer
    if you cant delete it make a bootable linux usb thumbdrive and delete it from linux
     
    orangpelupa likes this.
  6. orangpelupa

    orangpelupa Elite Bug Hunter
    Legend Veteran

    Joined:
    Oct 14, 2008
    Messages:
    9,313
    Likes Received:
    2,579
    it can be deleted, its just curious that it was only detected by 3 antivirus according to virus total
     
  7. DmitryKo

    Regular

    Joined:
    Feb 26, 2002
    Messages:
    902
    Likes Received:
    1,076
    Location:
    55°38′33″ N, 37°28′37″ E
    #7 DmitryKo, Apr 10, 2021
    Last edited: Apr 10, 2021
    BRiT likes this.
  8. orangpelupa

    orangpelupa Elite Bug Hunter
    Legend Veteran

    Joined:
    Oct 14, 2008
    Messages:
    9,313
    Likes Received:
    2,579
    Its the service.exe file thats only detected by 3 antivirus. It's the one that keeps auto running again and again even after killed.

    https://www.virustotal.com/gui/file...01649013780d3f9528b5c87fd9ba256f35da8/summary

    Dunno its also the one silently add windows down fender exception or other modules (the other files inside the zip are just txt files and zip files)
     
  9. DmitryKo

    Regular

    Joined:
    Feb 26, 2002
    Messages:
    902
    Likes Received:
    1,076
    Location:
    55°38′33″ N, 37°28′37″ E
    Well, unfortunately malware can be hard to remove even manually. You need to launch Task Manager details tab or SysInternals Process Explorer and check for suspicious processes which are running from unusual locations. They are typically launched by Task Scheduler tasks, shortcuts in Startup folder (MsConfig and Task Manager startup tab), and Run/RunOnce keys in the registry. Advanced triojans install themselves into system services or Winlogon/Userinit processes - these can successfully circumvent all attempts to remove them.

    I suggest you to ask for help on enthusiast forums like Bleeping Computer. Typically you will need to run their preferred diagnostic/removal tool (such as FRST64, AVZ, AdAware etc) and attach the logs to your forum post, then you will be given further instructions or a script file to remove your specific infection.

    https://www.bleepingcomputer.com/fo...ng-malware-removal-tools-and-requesting-help/
    https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/
    https://www.malwareremoval.com/forum/viewtopic.php?t=47959
    etc.
     
    #9 DmitryKo, Apr 10, 2021
    Last edited: Apr 16, 2021
    Silent_Buddha, orangpelupa and BRiT like this.
  10. BoardBonobo

    BoardBonobo My hat is white(ish)!
    Veteran

    Joined:
    May 30, 2002
    Messages:
    3,535
    Likes Received:
    462
    Location:
    SurfMonkey's Cluster...
    If you've got an Nvidia card it will be linking into CUDA, also the work file is a PK, it's a zipped EXE file which contains AMD gpu specific code and a large amount of plain old C. Which itself appears to be the source to the coin miner. Enjoy :)
     

    Attached Files:

    Silent_Buddha and orangpelupa like this.
Loading...

Share This Page

  • About Us

    Beyond3D has been around for over a decade and prides itself on being the best place on the web for in-depth, technically-driven discussion and analysis of 3D graphics hardware. If you love pixels and transistors, you've come to the right place!

    Beyond3D is proudly published by GPU Tools Ltd.
Loading...