Jump to content
pejot92

Strange type of malware/rootking or whatever it is. w10 reinstall dont help

Recommended Posts

Hello, 

Some time ago,  lets say month ago, my computer started to act strange for example CPU fan was always on high RPM, anytime I tried to check what cause high CPU usage when I entered task manager there were cpu usage at 9%-10%. But I had a feeling that something strange is going on. Also i had some strange services running on my PC for example if normal Service name is Print Server I had this service stopped and there was another one "PrintServer_a8xdc6dsa" something like that. Also i found out that some strange firewall rules are being added to my firewall using ports from 50000-59999. I also found that I have a lot of network services running, also some "network accounts?" I was unable fo find those sessions trying with cmd -> Query session ID. I was able to find only my session. Also my computer was redirecting all my network queries to those strange ports for example when I was using internet port 80 i checked with wire shark that its being redirected to 5xxxx port.

 

I reinstalled Windows and everyting was okay until yesterday. I was checking my CPU usage once again because of computer being slow etc. CPU usage was again on low level but i found in processes that I have a lot of svchost.exe instances running some of them were local, some of them were Network services related. 

 

Conclusion: I think my computer was hacked and used as a part of botnet? Or kind of bitcoin miner, also in registry under Windows profiles i had some strange keys with chinese letters. I reformatted computer today again and I didn't even connected to internet. I downloaded farbar and here are my results, do You guys see anything suspicious? Also I have to confess that I have 5 hard drives and I reformatted only one of them because I can't aford to lose data from those drives. Also I had a feeling that my svchost.exe from Windows/System32 is corrupted and also other .exe files from this directory - because they were executed with strange commands added such as -NetsvcUser and such staff.

 

Could someone please look into logs and check for anything suspicious?

 

FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Hello @pejot92

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.