exhausted Posted May 22, 2022 ID:1516632 Share Posted May 22, 2022 Hi I don't even know where to start. After losing my mind trying to find the issues by myself going through system32 folder for the past couple of days I think I need help, big time. There is plenty of processes and services that are running with usernames like eg. LocalSystemNetworkRestricted. I have 32gb of RAM and about 15% is being used with no apps running by me. There are numerous devices showing up in device manager and remote connections and so much more I don't know what's legit and what's not. I am sending a few pictures done with my phone since I went offline on PC for now. I am really desperate, can you help please? Link to post Share on other sites More sharing options...
MKDB Posted May 22, 2022 ID:1516642 Share Posted May 22, 2022 Hello @exhausted and My name is MKDB and I will assist you. Please don't panic! Typically, all of these processes and services are part of Windows itself, not malware. So please calm down. 🙂 "LocalSystemNetworkRestricted" belongs to svchost.exe, which is a legit Microsoft Windows system file, no need to worry! Does the system behave differently than before? Are there problems? We will have a look on your system. Please note: Please follow the steps in the given order and post back the logs as an attachment when ready. Thank you very much for your cooperation. Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed. As English is not my native language, please do not use slang or idoms. It may be hard for me to understand. I will guide you along on looking for potential malware. Lets keep these principles as we go along. Searching, detecting and removing malware isn't instantaneous, please be patient. Please stick with me until I give you the "all clear". Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Step 1 If you already have Malwarebytes installed, then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan. If you don't have Malwarebytes installed or if you don't run the newest version yet, please download it from here and install it. Once the MBAM dashboard opens, click on Settings (gear icon). Click on Security tab and make sure that all four Scan options are enabled. Close Settings and click on the Scan button on the dashboard. Once the scan is completed make sure you have it quarantine any detections it finds. If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop. If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If Malwarebytes won't run, then please skip to the next step and let me know in your next reply that the scanner would not run. Step 2 Please download AdwCleaner and save it to your desktop. Double-click to run it. Accept the End User License Agreement. Click Scan Now. When finished, if items are found please click Next / Quarantine. Maybe your PC will be rebooted, AdwCleaner will be opened automatically. Click View Log File. AdwCleaner will open one log (AdwCleaner[Cxx].txt). Please attach the log to your next reply. Step 3 Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit Double-click to run it. When the tool opens, click Yes to disclaimer. Check the box in front of Shortcut.txt. Press the Scan button. FRST will create three logs (FRST.txt + Addition.txt + Shortcut.txt) in the same directory the tool is run. Please attach these logfiles to your next reply. Link to post Share on other sites More sharing options...
exhausted Posted May 23, 2022 Author ID:1516713 Share Posted May 23, 2022 Hi MKDB Thank you for replying. I am really happy someone will try to help me with this problem. Sorry for the delayed reply. It was too late last night for me to do anything since I live in Europe. I am going to start downloading everything and should be ready soon. Should I do a backup I mean that would take a long while but I can if its needed. Also I don't use any pirate software. Either paid or freeware from Miscrosoft store or VST plugins from websites like pluginboutique.com or download paid or free plugins from their direct websites. Either as .rar or as download hubs. I think I might have made a mess when my audio drivers was playing up about a year ago I have downloaded some drivers from Intel Amd and asus websites but probably too many. The problem with the audio drivers never really went away since windows was always splitting up dedicated drivers for my usb audio interface leaving them for a USB device interface and than creating audio endpoint for which was leaving generic driver. That frustration led to me investigating and going through system folders and event viewers and so on. Anyway just let me know if I have to do a backup of my things and I'm going to download everything. Aldo don't worry about me using slang since English is not my first language either. Once again thank you for agreeing to help me. Link to post Share on other sites More sharing options...
MKDB Posted May 23, 2022 ID:1516717 Share Posted May 23, 2022 Hi @exhausted, a backup of your private data is never a bad idea, so do it please. I'm living in Europe (more precisely Germany) as well, so English is not my native language as well. 😉 Waiting for your logfiles later this day. Link to post Share on other sites More sharing options...
exhausted Posted May 23, 2022 Author ID:1516781 Share Posted May 23, 2022 1cancelled.txtShortcut.txtFRST.txtAddition.txtAdwCleaner[S00].txtAdwCleaner[C00].txt3completed.txt2cancelled.txt Hi there again What a ride it was. I had a brief glimpse at reports and oh boy. There is a lot found already. Right, first things first. I have done a backup before starting any of the steps recommended using Acronis backup recovery disk. I reminded myself that I had something like that laying around since it came with the PC. I have Avast Premium Security installed (not so premium after all) and Malware Bytes Edge extension. I remember now that it popped up with notification some time ago when I was downloading freeware plugins from KVR Forum (no more doing that). I thought it did not go through but what I did back then was return the page by the Malwarebytes suggestion and then tried again thinking that sometimes legit sources are flagged as viruses and ignored it. Big mistake. So now it is probably not the end of my troubles I assume. I will patiently wait for the next move and follow accordingly per your suggestions. One thing I am worried about though that other less secure devices on my network probably could get infected. There are a few smart devices like Alexa or smart bulbs, tv's, phones and quite a few consoles. I have changed my internet supplier now and got Eero 6 router that got it's own defences and was catching quite a few trying to get through. Anyway I feel less exhausted now since my suspicions were right and I am in right hands. Link to post Share on other sites More sharing options...
exhausted Posted May 23, 2022 Author ID:1516783 Share Posted May 23, 2022 One thing I forgot to mention is that there are 3 reports for Malwarebytes scan since I had a notification pop ups that definitions were not up to date. Link to post Share on other sites More sharing options...
MKDB Posted May 23, 2022 ID:1516785 Share Posted May 23, 2022 Thank you for those logfiles @exhausted and your detailed feedback. First of all, let me say that your system is not in danger regarding malware. There are some pup/malware related orphans/leftovers from a previous infection, but no activ infection visible in the logfiles. Moreover, malware usually doesn't work on different platforms. We will remove those things as well as other empty entries and check windows system files end delete temp files. This (Step 1) can take some minutes. Please be patient. You should close all open programs before you run Step 1. After that, we run a scan with MSS (Step 2). Step 1 Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( E:\Downloads\ ). Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. Close all open programs and save your work. Run FRST again. Press the Fix button only once and wait. Please be patient. If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart. FRST will create one log now (Fixlog.txt) in the same directory the tool is run. Please attach this logfile to your next reply. Step 2 The Microsoft Safety Scanner (MSS) is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft. Please let me know the results of this scan. Run a Quick Scan. The log is named MSERT.log. The log will be at%SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log Please attach that log with your next reply. fixlist.txt Link to post Share on other sites More sharing options...
exhausted Posted May 23, 2022 Author ID:1516788 Share Posted May 23, 2022 I have one more question. Shortcut.txt is unchecked again does it need to be or do you want me to tick it Link to post Share on other sites More sharing options...
exhausted Posted May 23, 2022 Author ID:1516797 Share Posted May 23, 2022 Hi @MKDB It's done. I have included all the files from debug folder. Scanner have shown a trojan that was removed which was not included in a log file therefore I am sending you a print screen. There was one more file in debug folder that could not be uploaded. Forum's website hit me with unsupported file notification so I have done a screen of it as well. The audio interface is still being split ending up with genuine driver for a device itself but Windows creates audio endpoint with generic driver. That is most likely to my incompetence with reinstalling drivers when things were getting wrong. Back when my computer started playing up for the first time I have done some antivirus scans and concluded that it was probably Windows update drivers issue and I have installed bunch of different drivers which are still there conflicting. Anyway enough for tonight. Thank you for your help today I can sleep a bit better now. Looking forward to hear from you tomorrow. mrt.log msert.log NetSetup.LOG wiatrace.log Fixlog.txt Link to post Share on other sites More sharing options...
MKDB Posted May 24, 2022 ID:1516858 Share Posted May 24, 2022 Thank you for the logfiles @exhausted. From the fixlog.txt: Windows Resource Protection found corrupt files but was unable to fix some of them. 🙂 MSS did not found a trojan, this is just a special setting regarding Windows Defender, nothing to worry about. Step 1 Run FRST again. Do not change any settings. Press the Scan button. FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run. Please attach these logfiles to your next reply. Link to post Share on other sites More sharing options...
exhausted Posted May 24, 2022 Author ID:1516889 Share Posted May 24, 2022 Hi @MKDB I am sending you requested files. Looks like there is still something hiding. Addition.txtFRST.txt Link to post Share on other sites More sharing options...
MKDB Posted May 24, 2022 ID:1516890 Share Posted May 24, 2022 6 minutes ago, exhausted said: I am sending you requested files. Looks like there is still something hiding. Thanks again! Why do you think that there is something hiding @exhausted? Can you explain to me, please? Your files look good to me. 🙂 Link to post Share on other sites More sharing options...
exhausted Posted May 24, 2022 Author ID:1516895 Share Posted May 24, 2022 Right. That driver situation for example. It is a 64bit driver which shows up in services as 32. While also when you look at .pdf attached genuine Zedi drivers are used for a usb device and that is it. All the inputs and outputs from Zedi device are being classed as audio endpoints and controlled by microsoft drivers instead which defeats the genuine drivers purpose. Zedi pdf.pdf Link to post Share on other sites More sharing options...
exhausted Posted May 24, 2022 Author ID:1516897 Share Posted May 24, 2022 I mean if it isn't cause by any damage from malware there must be an option to fix that. I am sorry if it isn't because you have done for me a lot more than I could've imagined and I can't thank you enough. I am definitely switching to Malwarebytes now since having avast premium did not help after all. If it is not due to viruses could you at least point me to the right direction where can I look for help with that issue. And also how to prevent these attacks in the future and be better prepared? Link to post Share on other sites More sharing options...
exhausted Posted May 24, 2022 Author ID:1516898 Share Posted May 24, 2022 One more thing I have noticed that checks have not included the other disk I have E:/ Audio Drive and I have copied some of my documents and files over there. The Acronis backup was done only for a system drive. Should I worry about those files could infect me still if any of them are in .rar files? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 24, 2022 Root Admin ID:1516926 Share Posted May 24, 2022 Please go to Control Panel, Programs, Programs and Features and uninstall the following Bonjour Then temporarily disable your Avast antivirus real-time protection and exit out of Malwarebytes and run the following fix. @exhausted Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
exhausted Posted May 24, 2022 Author ID:1516943 Share Posted May 24, 2022 Hi @AdvancedSetup I have a few questions before we start. The password manager is a great advice. I think Dashlane would be best since is hybrid but I cant afford a premium option now so I'm not sure. I want to save you guys time by not going through every option now so if you have suggestion which to pick Im all ears. Do you want me to get password manager before or after I run FRST? I don't remember all the passwords, there's simply to many that is why I always was leaning towards resetting it if I forgot or keep it in Avast passwords. That leads to another issue since I expect my phone could be infected too because transferring files between pc and phone was done often so accessing those accounts later on my phone could it be a potential issue? The Firewall rules I am not sure about. The only custom rules I think are from Eero 6 device which is our home router that I control using the app which enables me to create profiles for ad-blocks and such. On last thing is Avast which I can not fully turn off or I can not find the option to turn off completely. I can only choose an quiet mode option that allows it to turn off live protection for working alongside other antivirus applications. Thanks Link to post Share on other sites More sharing options...
exhausted Posted May 24, 2022 Author ID:1516945 Share Posted May 24, 2022 As usual per my bad short memory I forgot to mention that when I was uninstalling Bonjour it asked me to turn off Edge which I ignored it without too much thinking. I am not sure that was the right move. But Bonjour is the app I have never installed personally since I don't use any Apple products. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 24, 2022 Root Admin ID:1516953 Share Posted May 24, 2022 BitWarden is free https://bitwarden.com/pricing/ Use Password Management software BitwardenKeePass Password Safe Make sure you use a strong master password Then set the key transformation settings (the link below helps provide information on how to choose good settings)https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashingKeePass Password Manager: Full Detailed Setup (good YouTube video on setup and using Keepass but choose the Argon2 method for Key transformation) Password Managers Compared: LastPass vs KeePass vs Dashlane vs 1Password https://www.theregister.com/2021/02/25/lastpass_android_trackers_found/ The script will attempt to clean cookies. Any site that is storing your credentials via the cookie will potentially be removed. Personally don't think you should use a password manager from any AV company. What happens when you want to leave that company and try another product? You're in for a lot of work switching to another password manager. Almost no one has custom firewall rules. It's possible but rare. Yes, you just need to turn off the Live protection from your antivirus so that it doesn't prevent the script from running properly Thanks @exhausted Link to post Share on other sites More sharing options...
exhausted Posted May 25, 2022 Author ID:1517018 Share Posted May 25, 2022 Hi @AdvancedSetup I have done the fix with FRST64. I haven't installed KeePass since I did not want risk yet if there would be some potential keyloggers still. I have one more quite important question: Does loud clicking sometimes indicate physical damage to the disk or motherboard? Could that be potentially done by the viruses I had? By going through some of the logs files from what I could gathered seemed like I had hidden partitions and Windows was running in 7 instead of 10? Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 25, 2022 Root Admin ID:1517024 Share Posted May 25, 2022 Normally, hard drive clicking is regarded as a sign of a failing hard drive. If you're experiencing this I would highly suggest that you back up all important data on that drive as soon as you can to another drive. The system found some corruption but says it was unable to correct it. Please open an elevated admin command prompt and type in the following and press the Enter key and let me know the exact message it says. SFC /SCANNOW Thanks @exhausted Link to post Share on other sites More sharing options...
exhausted Posted May 25, 2022 Author ID:1517037 Share Posted May 25, 2022 Beginning system scan. This process will take some time. Beginning verification phase of system scan. Verification 100% complete. Windows Resource Protection found corrupt files but was unable to fix some of them. For online repairs, details are included in the CBS log file located at windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline repairs, details are included in the log file provided by the /OFFLOGFILE flag.CBS.logCbsPersist_20220521165404.log Here's the log. I have also found hidden system txt. file in the same location. Link to post Share on other sites More sharing options...
exhausted Posted May 25, 2022 Author ID:1517038 Share Posted May 25, 2022 Is it possible that I have a rootkit on the board itself? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 25, 2022 Root Admin ID:1517053 Share Posted May 25, 2022 No, there are just a few minor entries that it says it's having issues fixing. Please follow the directions from the following and see if it helps to fix it. Make sure you disable your antivirus real-time protection while doing this. Link to post Share on other sites More sharing options...
exhausted Posted May 25, 2022 Author ID:1517070 Share Posted May 25, 2022 Hi there again@AdvancedSetup After running DISM and the sfc the problem is still persistent. I am going to have to run the image tool. I've got Windows 10 Home 21H1 OS19043.1706 and the tool is 21H2 does it matter? Also what is the difference between version with N at the end and without it? Link to post Share on other sites More sharing options...
Recommended Posts