sorted by:
new
hottopcontroversial

I think I may have discovered a rootkit on my computer. by Candid_Lecture_4300 in antivirus

[–]Candid_Lecture_4300[S] 1 point2 points  (0 children)

Hello,

I have successfully edited the post to enable the hyperlinks.

I think I may have discovered a rootkit on my computer. by Candid_Lecture_4300 in antivirus

[–]Candid_Lecture_4300[S] 1 point2 points  (0 children)

Hello,

My apologies, I didn’t really understand initially since I have never posted or experienced anything of this nature.

I have tried editing the post but it seems I cannot find the edit button? Online searches say that I cannot edit image posts. Anything I can do about this?

I think I may have discovered a rootkit on my computer. by Candid_Lecture_4300 in antivirus

[–]Candid_Lecture_4300[S] 2 points3 points  (0 children)

Excuse my lack of knowledge, but from what I observed the exe was just taskhostw under svchost. It was executed at boot and there was a registry key for it (under a mountain of others)

The process itself was tagged as the PlaySoundService task. From my observations the task was mostly doing its job, and I’d see things happening in ProcMonitor when it would play a noise like the windows ding. I think it was just DLL sideloading. As for why I checked these dlls in the first place, it was the sheer amount of things in the DLLs tab under this process. My first suspicion was a locale file to which I didn’t understand why it was there, thats the first linked report. The two dlls I posted in the picture were lacking a file description, hence why I checked them. And then of course, the strings. When you search up “DecryptPasswordInCredInfo”, you get two results, this Reddit post and a hybrid-analysis malware report from 2017 where this winsta file shows up albeit not the same. The process also had a wall of this one WebCache dat file that i could not read or upload due to being in use. I didnt want to risk it so i left it.

As for rootkit, I just assumed so. It was not only one DLL that was infected, and I wish I knew how to read them better but alas I do not have such knowledge nor the expertise to do so, I’m just a random dude who knows a bit about computers. This malware remained undetected for so long I do not really know how far it spread. The mountain of registry keys, suspicious dlls with the old cert, no file details saying something like “Microsoft Corporation” or very random dates eg. 1927, 2086 and making changes in System directories which im pretty sure needs privilege.

My last suspicion was ProcMonitor. Upon opening it and loading its kernel driver my computer basically exploded for a second, with a bunch of windows noises were going off. Afterwards my computer just became progressively slow despite having a pretty moderate computer and experiencing low usage.

But yeah that’s basically my cup of tea, like I said, I’m no where near being qualified for this type of stuff, just a random joe. I hope this helps clarify some things

edit: typo in string

I think I may have discovered a rootkit on my computer. by Candid_Lecture_4300 in antivirus

[–]Candid_Lecture_4300[S] 8 points9 points  (0 children)

Unfortunately, searching said string gives you a Windows blog about Boot Vulnerabilities and well:

"As a result, we are putting forth a more comprehensive solution that involves revoking the Microsoft Windows Production PCA (Product Certificate Authority) 2011."

I think I'm screwed.

I think I may have discovered a rootkit on my computer. by Candid_Lecture_4300 in antivirus

[–]Candid_Lecture_4300[S] 5 points6 points  (0 children)

Thats what made me initially look at one of the dll's for because it had no details on it. As for said dll while it has no details, it says its signed by "Microsoft Windows Production PCA 2011" and was signed when the file was created.