Jump to content

Please help!


Recommended Posts

Hi 

I don't even know where to start. After losing my mind trying to find the issues by myself going through system32 folder for the past couple of days I think I need help, big time. 

There is plenty of processes and services that are running with usernames like eg. LocalSystemNetworkRestricted. I have 32gb of RAM and about 15% is being used with no apps running by me. 

There are numerous devices showing up in device manager and remote connections and so much more I don't know what's legit and what's not. 

I am sending a few pictures done with my phone since I went offline on PC for now. 

I am really desperate, can you help please? 

20220522_174947.jpg

20220522_174906.jpg

20220522_174933.jpg

Link to post
Share on other sites

Hello @exhausted  and  :welcome:

 

My name is MKDB and I will assist you.

 

Please don't panic! Typically, all of these processes and services are part of Windows itself, not malware. So please calm down. 🙂

"LocalSystemNetworkRestricted" belongs to svchost.exe, which is a legit Microsoft Windows system file, no need to worry!

Does the system behave differently than before? Are there problems?

We will have a look on your system.

 

Please note:

  • Please follow the steps in the given order and post back the logs as an attachment when ready. Thank you very much for your cooperation.
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
  • As English is not my native language, please do not use slang or idoms. It may be hard for me to understand.

 

 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Searching, detecting and removing malware isn't instantaneous, please be patient. Please stick with me until I give you the "all clear".
  • Only run the tools I guide you to.
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.

 

 

Step 1

  • If you already have Malwarebytes installed, then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed or if you don't run the newest version yet, please download it from here and install it.
  • Once the MBAM dashboard opens, click on Settings (gear icon).
  • Click on Security tab and make sure that all four Scan options are enabled.
  • Close Settings and click on the Scan button on the dashboard.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
  • If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run, then please skip to the next step and let me know in your next reply that the scanner would not run.

 

 

Step 2

Please download AdwCleaner and save it to your desktop.

  • Double-click to run it.
  • Accept the End User License Agreement.
  • Click Scan Now.
  • When finished, if items are found please click Next / Quarantine.
  • Maybe your PC will be rebooted, AdwCleaner will be opened automatically.
  • Click View Log File.
  • AdwCleaner will open one log (AdwCleaner[Cxx].txt).
  • Please attach the log to your next reply.

 

 

Step 3

Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Check the box in front of Shortcut.txt.
  • Press the Scan button.
  • FRST will create three logs (FRST.txt + Addition.txt + Shortcut.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

 

Link to post
Share on other sites

Hi MKDB

Thank you for replying. I am really happy someone will try to help me with this problem. 

Sorry for the delayed reply. It was too late last night for me to do anything since I live in Europe. 

I am going to start downloading everything and should be ready soon. Should I do a backup I mean that would take a long while but I can if its needed. 

Also I don't use any pirate software. Either paid or freeware from Miscrosoft store or VST plugins from websites like pluginboutique.com or download paid or free plugins from their direct websites. Either as .rar or as download hubs. 

I think I might have made a mess when my audio drivers was playing up about a year ago I have downloaded some drivers from Intel Amd and asus websites but probably too many. 

The problem with the audio drivers never really went away since windows was always splitting up dedicated drivers for my usb audio interface leaving them for a USB device interface and than creating audio endpoint for which was leaving generic driver. That frustration led to me investigating and going through system folders and event viewers and so on. 

 

Anyway just let me know if I have to do a backup of my things and I'm going to download everything. Aldo don't worry about me using slang since English is not my first language either. 

Once again thank you for agreeing to help me. 

 

 

Link to post
Share on other sites

Hi @exhausted,

a backup of your private data is never a bad idea, so do it please.

I'm living in Europe (more precisely Germany) as well, so English is not my native language as well. 😉

Waiting for your logfiles later this day.

 

Link to post
Share on other sites

1cancelled.txtShortcut.txtFRST.txtAddition.txtAdwCleaner[S00].txtAdwCleaner[C00].txt3completed.txt2cancelled.txt

Hi there again

What a ride it was. I had a brief glimpse at reports and oh boy. There is a lot found already. 

Right, first things first. I have done a backup before starting any of the steps recommended using Acronis backup recovery disk. I reminded myself that I had something like that laying around since it came with the PC. 

I have Avast Premium Security installed (not so premium after all) and Malware Bytes Edge extension. I remember now that it popped up with notification some time ago when I was downloading freeware plugins from KVR Forum (no more doing that).  I thought it did not go through but what I did back then was return the page by the Malwarebytes suggestion and then tried again thinking that sometimes legit sources are flagged as viruses and ignored it. Big mistake. 

So now it is probably not the end of my troubles I assume. I will patiently wait for the next move and follow accordingly per your suggestions. 

One thing I am worried about though that other less secure devices on my network probably could get infected. There are a few smart devices like Alexa or smart bulbs, tv's, phones and quite a few consoles. I have changed my internet supplier now and got Eero 6 router that got it's own defences and was catching quite a few trying to get through. 

Anyway I feel less exhausted now since my suspicions were right and I am in right hands.

 

 

Link to post
Share on other sites

Thank you for those logfiles @exhausted and your detailed feedback.

 

First of all, let me say that your system is not in danger regarding malware. There are some pup/malware related orphans/leftovers from a previous infection, but no activ infection visible in the logfiles. Moreover, malware usually doesn't work on different platforms.

We will remove those things as well as other empty entries and check windows system files end delete temp files. This (Step 1) can take some minutes. Please be patient. You should close all open programs before you run Step 1.

After that, we run a scan with MSS (Step 2).

 

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( E:\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

Step 2

The Microsoft Safety Scanner (MSS) is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

  • The download links & the how-to-run-the tool are at this link at Microsoft.
  • Please let me know the results of this scan.
  • Run a Quick Scan.
  • The log is named MSERT.log.
  • The log will be at%SYSTEMROOT%\debug\msert.log which in most cases is

C:\Windows\debug\msert.log

  • Please attach that log with your next reply.

 

 

 

fixlist.txt

Link to post
Share on other sites

Hi @MKDB 

It's done. I have included all the files from debug folder. Scanner have shown a trojan that was removed which was not included in a log file therefore I am sending you a print screen.

There was one more file in debug folder that could not be uploaded. Forum's website hit me with unsupported file notification so I have done a screen of it as well.

The audio interface is still being split ending up with genuine driver for a device itself but Windows creates audio endpoint with generic driver. 

That is most likely to my incompetence with reinstalling drivers when things were getting wrong. Back when my computer started playing up for the first time I have done some antivirus scans and concluded that it was probably Windows update drivers issue and I have installed bunch of different drivers which are still there conflicting. 

Anyway enough for tonight. Thank you for your help today I can sleep a bit better now.

Looking forward to hear from you tomorrow. 

 

 

MSS prtsc.png

PASSWD prtsc.png

mrt.log msert.log NetSetup.LOG wiatrace.log Fixlog.txt

Link to post
Share on other sites

Thank you for the logfiles @exhausted.

From the fixlog.txt:

Windows Resource Protection found corrupt files but was unable to fix some of them. 🙂

 

MSS did not found a trojan, this is just a special setting regarding Windows Defender, nothing to worry about.

 

 

Step 1

  • Run FRST again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

Link to post
Share on other sites

6 minutes ago, exhausted said:

I am sending you requested files. Looks like there is still something hiding.

Thanks again! Why do you think that there is something hiding @exhausted? Can you explain to me, please?

Your files look good to me. 🙂

 

 

Link to post
Share on other sites

image.thumb.png.e785f3b7edcf59da1c58bf6b4ac30f2f.png

Right. That driver situation for example. It is a 64bit driver which shows up in services as 32. While also when you look at .pdf attached genuine Zedi drivers are used for a usb device and that is it. All the inputs and outputs from Zedi device are being classed as audio endpoints and controlled by microsoft drivers instead which defeats the genuine drivers purpose.

 image.thumb.png.258248e261dad62be210495fde831022.png

Zedi pdf.pdf

Link to post
Share on other sites

I mean if it isn't cause by any damage from malware there must be an option to fix that. 

I am sorry if it isn't because you have done for me a lot more than I could've imagined and I can't thank you enough. I am definitely switching to Malwarebytes now since having avast premium did not help after all. 

If it is not due to viruses could you at least point me to the right direction where can I look for help with that issue.

And also how to prevent these attacks in the future and be better prepared?

 

Link to post
Share on other sites

One more thing I have noticed that checks have not included the other disk I have E:/ Audio Drive and I have copied some of my documents and files over there. 

The Acronis backup was done only for a system drive. Should I worry about those files could infect me still if any of them are in .rar files?

Link to post
Share on other sites

  • Root Admin

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Bonjour

 

Then temporarily disable your Avast antivirus real-time protection and exit out of Malwarebytes and run the following fix. @exhausted

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hi @AdvancedSetup

I have a few questions before we start.

The password manager is a great advice. I think Dashlane would be best since is hybrid but I cant afford a premium option now so I'm not sure. I want to save you guys time by not going through every option now so if you have suggestion which to pick Im all ears.

Do you want me to get password manager before or after I run FRST? 

I don't remember all the passwords, there's simply to many that is why I always was leaning towards resetting it if I forgot or keep it in Avast passwords. That leads to another issue since I expect my phone could be infected too because transferring files between pc and phone was done often so accessing those accounts later on my phone could it be a potential issue?

The Firewall rules I am not sure about. The only custom rules I think are from Eero 6 device which is our home router that I control using the app which enables me to create profiles for ad-blocks and such.

On last thing is Avast which I can not fully turn off or I can not find the option to turn off completely. I can only choose an quiet mode option that allows it to turn off live protection 

for working alongside other antivirus applications. 

Thanks

Link to post
Share on other sites

As usual per my bad short memory I forgot to mention that when I was uninstalling Bonjour it asked me to turn off Edge which I ignored it without too much thinking. I am not sure that was the right move. But Bonjour is the app I have never installed personally since I don't use any Apple products.

Link to post
Share on other sites

  • Root Admin

BitWarden is free https://bitwarden.com/pricing/

Use Password Management software

Bitwarden
KeePass Password Safe

Make sure you use a strong master password
Then set the key transformation settings (the link below helps provide information on how to choose good settings)
https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing
KeePass Password Manager: Full Detailed Setup (good YouTube video on setup and using Keepass but choose the Argon2 method for Key transformation)

Password Managers Compared: LastPass vs KeePass vs Dashlane vs 1Password

https://www.theregister.com/2021/02/25/lastpass_android_trackers_found/

 

The script will attempt to clean cookies. Any site that is storing your credentials via the cookie will potentially be removed. Personally don't think you should use a password manager from any AV company. What happens when you want to leave that company and try another product? You're in for a lot of work switching to another password manager.

 

Almost no one has custom firewall rules. It's possible but rare.

Yes, you just need to turn off the Live protection from your antivirus so that it doesn't prevent the script from running properly

Thanks @exhausted

 

Link to post
Share on other sites

Hi @AdvancedSetup

I have done the fix with FRST64. I haven't installed KeePass since I did not want risk yet if there would be some potential keyloggers still.

I have one more quite important question: Does loud clicking sometimes indicate physical damage to the disk or motherboard? Could that be potentially done by the viruses I had? By going through some of the logs files from what I could gathered seemed like I had hidden partitions and Windows was running in 7 instead of 10? 

 

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Normally, hard drive clicking is regarded as a sign of a failing hard drive. If you're experiencing this I would highly suggest that you back up all important data on that drive as soon as you can to another drive.

 

 

The system found some corruption but says it was unable to correct it.

Please open an elevated admin command prompt and type in the following and press the Enter key and let me know the exact message it says.

SFC  /SCANNOW 

 

Thanks @exhausted

 

Link to post
Share on other sites


Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files but was unable to fix some of them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.
CBS.logCbsPersist_20220521165404.log

 

Here's the log. I have also found hidden system txt. file in the same location.

Link to post
Share on other sites

  • Root Admin

No, there are just a few minor entries that it says it's having issues fixing.

Please follow the directions from the following and see if it helps to fix it.

Make sure you disable your antivirus real-time protection while doing this.

 

Link to post
Share on other sites

Hi there again@AdvancedSetup

After running DISM and the sfc the problem is still persistent. I am going to have to run the image tool. 

I've got Windows 10 Home 21H1 OS19043.1706 and the tool is 21H2 does it matter?

Also what is the difference between version with N at the end and without it?

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.