Search the Community

using win 10 x64 pro. malwarebytes 3.2 it started few weeks back when i used some privacy tools from "https://fdossena.com/?p=w10debotnet/index_1703.frag" to stop win 10 privacy. then nothing happend for few days but suddenly winlogon.exe was detacted as malware unwanted by comodo internet security. Afterwards kaspersky antivirus components got demaged by own. I have the comodo firewall as well with password for settings. suddenly autostart apps failed to start except few. malwarebytes did not find anything on scan but kept using high cpu. once even malware bytes stopped running access to the folder deined etc error. so reinstalled windows. but d drive with downloads exe msi was not formattted. works ok for few days then again same isses as above. suddenly the password of comdo is reset automatically it does not ask for any password to change settings. so installed avast antivirus but it also did not detect an=thing run usb scan from bitfender it found some "Rusy" virus but wheni updated definetions and scan again it did not find any thing. internet also stopped working started network troubleshooting wizard. it said windows firewall is blocking. so installed windows firewall control and removed all the entries from firewall and disabled it using windows firewall control. still dns service and dhcp service use high cpu. disabled dns service but dhcp still uses high cpu when connecting to internet. and internet does not work. So reinstalled the windows again. now isntalled outpost firewall and made rules for svchost etc in firewall. it blocks some connections logs are as under SVCHOST.EXE OUT UDP 239.255.255.250 1900 VIVALDI.EXE OUT TCP Logan 1001 SVCHOST.EXE IN UDP 192.168.0.1 1901 N/A IN IGMP 192.168.0.1 * Block IGMP 0 36 SVCHOST.EXE OUT UDP 224.0.0.252 5355 SVCHOST.EXE OUT TCP 157.56.77.140 443 Blocked by IP Blocklist 0 0 SVCHOST.EXE OUT TCP 157.55.240.89 443 Blocked by IP Blocklist 0 0 Attack detection log is as below:- Init log session 2017/09/13 10:32:20 attack detection: enabled 2017/09/13 10:32:20 IDS level: Low Security 2017/09/13 10:54:01 IDS level: Maximum Security 2017/09/13 11:22:34 detected scan packet: 50124; packet recv TCP 74.120.8.14:443 -> 192.168.0.12:50124 (40) [ ACK ] 2017/09/13 11:22:34 Attack SINGLE_SCAN_PORT (50124) detected from 74.120.8.14 {host not blocked} [00000000] 2017/09/13 11:22:36 detected port scanning: 50124, 50131, 50123; packet recv TCP 74.120.8.14:443 -> 192.168.0.12:50123 (40) [ ACK ] 2017/09/13 11:22:36 Attack SCAN (50124, 50131, 50123) detected from 74.120.8.14 {host blocked for 5 min} [000000CB] 2017/09/13 11:22:36 Show PROTECT alert sound: C:\PROGRA~1\Agnitum\OUTPOS~1\warning.wav 2017/09/13 11:27:36 intruder 74.120.8.14 unblocked [000000CB] 2017/09/13 11:34:27 IDS level: Optimal Protection 2017/09/13 13:07:16 [~] deinit data... ------------------------------------------------------------------------------- Init log session 2017/09/13 13:09:43 attack detection: enabled 2017/09/13 13:09:43 IDS level: Optimal Protection 2017/09/13 14:00:57 detected scan packet: 49747; packet recv TCP 74.120.8.12:443 -> 192.168.0.12:49747 (40) [ ACK ] 2017/09/13 14:44:46 detected scan packet: 50124; packet recv TCP 172.217.7.3:443 -> 192.168.0.12:50124 (95) [ PSH ACK ] 2017/09/13 19:08:24 detected scan packet: 51256; packet recv TCP 172.217.10.227:443 -> 192.168.0.12:51256 (52) [ SYN ACK ] 2017/09/13 19:13:01 detected scan packet: 51313; packet recv TCP 107.167.110.216:443 -> 192.168.0.12:51313 (40) [ ACK ] 2017/09/13 19:21:07 detected scan packet: 51435; packet recv TCP 172.217.11.34:80 -> 192.168.0.12:51435 (52) [ SYN ACK ] 2017/09/13 20:12:36 detected scan packet: 51597; packet recv TCP 54.192.38.92:443 -> 192.168.0.12:51597 (71) [ PSH ACK ] 2017/09/13 20:12:39 detected scan packet: 51603; packet recv TCP 54.192.38.67:443 -> 192.168.0.12:51603 (71) [ PSH ACK ] 2017/09/13 20:12:41 detected scan packet: 51587; packet recv TCP 54.230.38.179:443 -> 192.168.0.12:51587 (71) [ PSH ACK ] 2017/09/13 20:12:55 detected port scanning: 51603, 51605, 51604, 51607, 51606, 51624, 51627; packet recv TCP 54.192.38.67:443 -> 192.168.0.12:51627 (71) [ PSH ACK ] 2017/09/13 20:12:55 Attack SCAN (51603, 51605, 51604, 51607, 51606, 51624, 51627) detected from 54.192.38.67 {host blocked for 60 min} [000002DE] 2017/09/13 20:12:55 Show PROTECT alert sound: C:\PROGRA~1\Agnitum\OUTPOS~1\warning.wav 2017/09/13 20:13:01 detected scan packet: 51615; packet recv TCP 117.18.237.29:80 -> 192.168.0.12:51615 (40) [ FIN ACK ] 2017/09/13 20:53:06 [~] deinit data... 2017/09/13 20:53:06 intruder 54.192.38.67 unblocked [000002DE] 2017/09/13 20:53:22 [~] deinit... ------------------------------------------------------------------------------- Init log session 2017/09/14 08:57:45 attack detection: enabled 2017/09/14 08:57:45 IDS level: Optimal Protection ------------------------------------------------------------------------------- Init log session 2017/09/14 09:01:51 attack detection: enabled 2017/09/14 09:01:51 IDS level: Optimal Protection 2017/09/14 10:13:41 detected scan packet: 60411; packet recv UDP 176.103.130.131:53 -> 192.168.0.12:60411 (98) 2017/09/14 10:13:41 detected scan packet: 57089; packet recv UDP 176.103.130.130:53 -> 192.168.0.12:57089 (122) 2017/09/14 12:06:19 detected scan packet: 54269; packet recv TCP 216.58.220.14:80 -> 192.168.43.221:54269 (748) [ PSH ACK ] 2017/09/14 12:06:20 detected scan packet: 54224; packet recv TCP 204.79.197.200:443 -> 192.168.43.221:54224 (40) [ RST ACK ] 2017/09/14 12:09:17 detected scan packet: 54220; packet recv TCP 62.128.100.108:443 -> 192.168.43.221:54220 (40) [ RST ACK ] 2017/09/14 12:09:18 detected scan packet: 54219; packet recv TCP 38.113.165.68:443 -> 192.168.43.221:54219 (40) [ RST ACK ] 2017/09/14 12:17:54 detected scan packet: 54447; packet recv TCP 45.33.17.126:443 -> 192.168.0.12:54447 (78) [ PSH ACK ] 2017/09/14 12:19:03 detected scan packet: 54468; packet recv TCP 172.217.7.195:443 -> 192.168.0.12:54468 (95) [ PSH ACK ] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> now i have made a standard account in windows and use it instaed of admin account. now kaspersky as earlier says components have corrupted full scan does not detect any thing also malwarebytes does not detect any thing.comodo does not detect any thing, avast does not detect any thing but does not start full system scan even after 30 min of initiation. Also after infection installed ubuntu in dual boot with windows 10 using windows bootloader. pls help me fix this persistent infection. Addition.txt FRST.txt

As I was looking through my Task Manager, I noticed something odd. There were two conhost.exe running. One of them didn't have a file location, description, or even a user name (well, SYSTEM, but not really). Showing all processes made it decide that it had a description. It was also using more memory. The one that was selected didn't reveal a location. Look at the first and second image ("Windows5", "Windows10"). TaskMan (not Task Manager) revealed that the one using less memory was in System32. The other one was in my user folder ("Windows11"), but when I looked, there was nothing new. Showing all processes also made another csrss.exe appear, which was also using a lot more memory, but I don't think (keyword: think) that's an issue. As for the actual csrss.exe that was running, it didn't reveal a location either ("Windows6"). When showing all processes, both csrss.exe were were claiming to be running from the System32 folder, but so were the two conhost.exe. The winlogon.exe didn't have a location, TaskMan was also claiming it was in my user folder. (Simple picture to help: "Windows8".) Showing all processes made it give a location. (Picture to illustrate conhost.exe and csrss.exe: "Windows2", and a picture for winlogon.exe: "Windows4".) Also, noticed that TaskMan was claiming there were two nvwmi64.exe running, while Task Manager claimed one, but showing all processes revealed another ("Windows3", "Windows7", "Windows12"). Don't worry about the picture naming scheme. The numbers were the order I took them in; nothing else. I left out 1 and 9 because they turned out to be irrelevant. As a note, Kaspersky and Malwarebytes scans came back clean. My computer appears to be operating normally with no kind of slowdowns. The only problem is the mouse sometimes acting up, but this is the mouse's fault. If this is Windows being rude, then sorry for wasting your time. But I don't really think it's the fault of Windows. I've read other posts where the processes didn't have a location, like now, and they actually found something. Help is appreciated. FRST.txt Addition.txt

I don't know what it's called by It looks like I have the same csrss.exe, winlogon.exe problem discussed in other posts. It appears in Task Manager/Performance that they are consistently chewing up memory and CPU. They also appear as the top #1 & #2 in the Processes list. Performance is generally slow. I'm reluctant to follow the resolution in other threads since there appears to be some uniqueness with them. I would be grateful to receive some assistance with this.

Additionally, a Malwarebytes scan returned >71,000 threats yet the program was unresponsive when I tried to remove all threats. Help?! Addition.txt FRST.txt THREATS.txt

in safe mode csrss.exe and winlogon look normal However when Win 7 64bit pc is booted into normal mode there is no description for either and no username. I can also not find the file location of either process. Have run malwarebytes in normal mode as well as Kapersky 6 and have not found a virus. Still suspicious though?

RE: Winlogon.exe and csrss.exe infections Hello, I’m running XP Pro, SP3. I noticed in Glarysoft Pro 3 under processes these two items which appear to be Trojans from my research. One indicator is the executable path which is not my normal system32 folder which on my machine is E:\WINDOWS\system32 folder. The infections have the same file name but with two questionmarks in front. They are also the only two processes that have high priority. My windows system32 folder has the real winlogon.exe that is only 496kb versus the infection file which shows memory of 2554 kb. Same deal for csrss.exe which is 6kb versus the infection at 2764kb. I read that malware files are much larger than the real windows files. Under the Windows Task Manager, they cannot be ended because they are “critical” system processes nor could I end them in Glarysoft 3. Akso, these are not showing up on the attached DDS log. Infections Name Executable winlogon.exe \\??\E:\WINDOWS\system32\winlogon.exe csrss.exe \\??\E:\WINDOWS\system32\csrss.exe Also, are these processes legit as they have no information.: System System Idle Processes I read another thread for troubleshooting winlogon.exe in this forum and ran Roguekiller as was suggested and have attached the report but didn’t delete anything. Thought it might give an indication. I’m running a trial version of Kaspersky Pure 3.0 and MBAM Pro which hasn’t been automatically starting. A few weeks ago, I had to reinstall XP Pro which is why it is on my E partition. I tried to restore a registry backup from Glarysoft and when windows tried to load it would get into a reboot loop. I figured I had nuked the registry. The required dds and attach.txt logs are attached. Thanks! dds.txt attach.txt