Jump to content

My laptop being infect alot


Recommended Posts

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Run Malwarebytes and delete all the items reported.

Restart the computer normally.

Please post the Fixlog.txt.

p.s.

there an end file in c/


Name: end
size: 0kb
nothing in there when open with notepad++

Delete it.

Let me know what problems you are having with this computer.
 

fixlist.txt

Link to post
Share on other sites

I have done all what you tell me to do

I am now 100% sure that some hacker has hack to my laptop there alot of hack tool in it.

Here all what i encounter:

1. Hack tool i can only found the view able one i dont know if there any hidden file can be found in cmd (Help)

2. There alot of ghost folder with weird name

3. I found this company in one of my folder [ Cheetah Mobile ] (i suspect the hacker is from china?!)

4. Folder contain file with only number, alot have been found like this cmcm/cm/kich/102-36cd649c-58ece1d6-c (Explain)

5. Everytime i restart my C/ drive deplete by 200mb <60-59.8-59.6....> (Help)

6. My laptop being turn into a mining machine (Help)

7. They stole my Admin right on my own laptop (Help)

8. High weird cpu usage every 5 minute yeah i watch it "osppscv" go up to 25% then quickly go down { alway }

Another one was "NT kernal & system" use up to 100% then disappear no trace { only 1 time } [ A folder name "LiveKernelReports" has been found ]

Note: never use Avast for malware fight and detect

Some word: RIP Laptop

Do you know any tool in the image?

 

 

Screenshot - 5_5_2020 , 6_55_49 AM.png

Fixlog.txt

Link to post
Share on other sites

Hi,

Let's take care of the Disk filling up.

Follow the directives on this page.

https://www.easeus.com/backup-utility/fix-c-drive-filling-up-automatically.html

I would start by doing the instructions under this title.
Other Possible Reasons and Solutions for C Drive Keeps Filling up Issue

Read the instructions before proceeding.

If that is solved what should we be looking at?

Link to post
Share on other sites

* I think it fix the C problem now another problem

-Importance: i want to know what is this thing "osppscv" it using cpu about 25% now it disappaer just like "NT kernal & system"

-Oh and "NT kernal & system" back for more this time they use 60mb memory, and sometime use cpu not big like before

-Importance: "Xboxstat" seriously in a laptop why this thing running

-Importance: Malwarebyte didnt actually delete or quarantine anything i have check the path to the file it think is virus and yet it still there

-Suggest: Can you make a button that make Malwarebyte strickier not in quarantine and stuff but in detecting virus. 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-You dont have permission to access this file (Force take as admin when i get inside i found a few file relate to CSC) 

-I have found alot of Chinese company inside my lap (Cheetah mobile, Cotana group (CSC),..)

-I found a folder call "SoftwareDistribution" when i get in there, it have 7 folder with some harmless looking file but when use virus total it also harmless but relate to alot of hack tool, virus and even more Chinese.

Should i delete these file manualy or need some special way to delete it? And what with these Chinese, how they get into my laptop? I want to be hack by Russia not them.

Link to post
Share on other sites

Let's get the big gun.

Repair these services.

Boot with Safe Mode with Networking. Execute the following.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    16 - Repair Windows Updates
    20 - Repair MSI (Windows Installer)
    25 - Restore Important Windows Services
    26 - Set Windows Service to Default Startup
    27.02 - Repair Windows 8/10 Apps Store (Completely Reset Apps Store)
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.


===

Restart the computer normally.

How is the computer running now?

Link to post
Share on other sites

* Here all the log.

i think it fix most of the problem and no longer see any high cpu usage file randomly appear anymore

The only problem now is "KMS-R@1nHook.exe" and "KMS-R@1nHook.dll" alot of anti virus say these are hack tool virus

It didnt do anything to my laptop but i want to remove them should i delete these manualy or need special way?

_Windows_Repair_Log.txt Repair_MSI_Windows_Installer.txt Repair_Windows_Updates.txt Repair_WMI.txt

Link to post
Share on other sites

Hi,

I did not see these items in your logs.
They may be remnant items left in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
KMS-R@1nHook.*
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply

Link to post
Share on other sites

Big big problem

FRST or any other antivirus can't scan .dll  file i have run it multiple time result are the same

What you see in the file i send was reg from Security Task Manager

I use Security Task Manager to scan my laptop it detect Only "KMS-R@1nHook.exe" as very high risk need to remove Now the problem

When i move my mouse (didnt click yet) to the "Remove" button my laptop freeze for 0.5s very quick "KMS-R@1nHook.exe" which was a virus and being detect before disappear.

I try to scan again Security Task Manager cant find anything so i try to custom scan directly into "KMS-R@1nHook.exe" nope not a virus.

I think what the hell this thing is it can Adapt to the enviroment and disguise itself from the security.

The longest time i can see it in Security Task Manager was 5s. This thing need to be detect quickly and remove it fast enough so it cant freeze the laptop and change it info.

Do you have any tool that can detect this quick enough to remove. I think of 2 option for this:

1. Some nuke that can scan it down in 3s and delete it right away (low success chance)

2. Some sneaky tool that can go behind it without notice might have longer scan but i think the success rate could be higher Because when this thing found an anti virus or something like that it can just freeze the laptop and disguise itself. 

So in my opinion i choose option 2 if you have.

SearchReg.txt

Link to post
Share on other sites

Hi,


Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.


Windows Registry Editor Version 5.00


[HKEY_USERS\S-1-5-21-3786803925-4159300429-4166457692-500\Software\Neuber GbR\Security Task Manager\Comment]
"C:\Windows\kms-r@1nhook.exe"=-
[HKEY_USERS\S-1-5-21-3786803925-4159300429-4166457692-500\Software\Neuber GbR\Security Task Manager\Options]
"HistoryExe"=-

Restart the when completed.

You can delete the fixme.reg file when done.

Is the problem solved?


 

Link to post
Share on other sites

HI,

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
KMS-R@1nHook.dll
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
===

You can delete the file if found.

p.s.

Is the problem solved?

If not do you see it in the Task Manager.

If yes under which Menu.

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.