Malware detected but i couldn't find the source

Hi,

i have a pc where "sophos endpoint" detecte periodically a malware. This malware has been cleaned. Here the log.

Feb 11, 2019 2:16 PM Malware cleaned up: 'Mal / Generic-R' at 'C: \ Windows \ System32 \ cbdglkue.bo'
Feb 11, 2019 2:15 PM Malware detected: 'Mal / Generic-R' at 'C: \ Windows \ System32 \ cbdglkue.bo'

I execute "sophos clean" but it does not find any risk.

Which is the source of this malware?

  • Hello Fonderia Corra,

    the Source of Infection tool might be of help (can't say if it also runs on Win10).

    Christian

  • In reply to QC:

    Hi Christian,

    the tools give me this log

    2019/02/12 14:09:54,"C:\Windows\System32\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50","Process","C:\Windows\System32\services.exe"
    2019/02/12 14:56:46,"C:\Windows\System32\config\netlogon.ftl","Process","C:\Windows\System32\lsass.exe"
    2019/02/12 15:06:15,"C:\Windows\System32\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50","Process","C:\Windows\System32\services.exe"
    2019/02/12 15:48:38,"C:\Windows\System32\Tasks\At8","Process","C:\Windows\System32\svchost.exe"
    2019/02/12 15:48:38,"C:\Windows\System32\Tasks\At8","Process","C:\Windows\System32\svchost.exe"

    Unfortunately is not helpful for me. Any idea?

    The file checked as bad is

    Path:
    c:\windows\system32\cbdglkue.bo
    Name:
    cbdglkue.bo
  • In reply to Fonderia Corra:

    Hello Fonderia Corra,

    which options did you use for SOI?

    Christian

  • In reply to QC:

    Hi,

    i used -p -a "folder"

  • In reply to QC:

    Hi, i find  at8.job in C:\Windows\Tasks\At8 and not in C:\Windows\System32\Tasks\At8.

    I try to delete it.

    I'm waiting for sophos end point response

  • In reply to Fonderia Corra:

    Hello Fonderia Corra,

    I'd use neither -p nor -n, maybe restrict it with -ext bo, and use -loglevel 1. It has to run until you get the detection.
    BTW: Mal/Generic-R is not necessarily malicious

    Christian