Undetectable malware plaguing me. Windows 11

[Thedragoc]

TLDR: I have weird ports open on my laptop, wifi stopped working, and I can’t login to my account normally. Also many other weird little things I noticed that stop me from using the computer normally.

Laptop: Razer blade 15 2019

OS: Windows 11 version 10.0.22000.739

The first unusual thing I noticed yesterday was on Netlimiter. This allowed me to see that ports 135,137, and others were open and listening. I used netlimiter to cancel and block these connections however new ones persistently popped up on port 137. I then chose to limit these to 1/byte a second since I couldn’t even stop the ports from being open. I tried going through CMD to find the PID (4). I gave up after awhile since nothing resulted. 
I know PID 4 is part of a windows system process however, I found that this service may not be secure while looking online. 
 

Next, I noticed my performance of the laptop had severely dropped. From around 140fps on my main game to around 60-70 fps and high latency. By restarting the laptop this issue was fixed. Today I restarted my laptop and the WIFI would not work correctly. It would connect to the network I normally use (other people were using it at the time so I know the network is fine) but it would say “Secured, no internet”. I looked online for fixes and used netsh and network settings to reset my ip settings and network settings. I also unplugged and plugged back in my WIFI card. At this point there was still no network connectivity.

I also only have 2 networks in my house. Network-49 and network-49-5G. However, my laptop detected a new Network-49 2. Suspicious to myself since it looks like a fake network someone opened up near me. I have never seen Network-49 2 in 3 years at this house. This network also did not show up on my phone or other devices.
 

At this point, I decided to take all my important files off the computer and do a full factory reset. While I plugged my flash drive in, my laptop kicked the device off multiple times. I proceeded with a factory reset which failed, but didn’t give me an error message to why or how this failed. I was just returned to my login screen(happens every time I try to reset). When I attempt to log in now I get “the user profile failed the sign in” or “ProfSvc failed the sign in, user profile cannot be loaded”

I tried multiple fixes for this as well with no luck. I’m unable to access my desktop or file explorer. I tried using a flash drive to install a fresh version of windows with no luck. It seems to me there is malware infecting Microsoft services and blocking me from using multiple features. 

I am now sitting in safe mode CMD (safe mode desktop doesn’t load^ same profsvc message)

If this is a malware whose signature has not been noted yet should I be looking for a sample? As a kid who wants to get into cybersecurity this is like a legendary Pokémon coming out of nowhere and curb stomping me.

 

 

 

[Thedragoc]

At this point I’m close to buying a new ssd and a fresh install of windows. 

[AdvancedSetup]

Good day, @Thedragoc

Do you have access to another working computer?

 

[Thedragoc]

Yes I do 

[Thedragoc]

5 hours ago, AdvancedSetup said:

Good day, @Thedragoc

Do you have access to another working computer?

 

Yes I do 

[AdvancedSetup]

Please use a USB thumb drive to copy files over to the affected system and get me logs

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

[Thedragoc]

On 6/29/2022 at 4:03 AM, AdvancedSetup said:

Please use a USB thumb drive to copy files over to the affected system and get me logs

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

both files attached, file 1 is FRST.txt and file 2 is Addition.txt. Let me know if there issues with the files. Thanks

text.txt text 2.txt

[AdvancedSetup]

Good day, @Thedragoc

Neither one of these files are from the Farbar program.

 

This is what the program looks like and how to get it from a clean computer to put on USB disk to then use on the affected computer.

 

 

Please do the following so that we can get started and see what's going on.

The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

1. Download the Farbar Recovery Scan Tool
   Do not click on any Ads.
    
2. Locate the file you downloaded on your computer.
   Downloaded files are often saved to the Downloads folder.
    
3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.
   
   
    
4. A Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
   Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?
   
        a.  Click More info.
   
   
        b.  Click Run anyway.
   
   
5. When the User Account Control window appears, click Yes.
   
   
   
    
6. To accept the Disclaimer of warranty, click Yes.
   
   
   
    
7. Ensure only the boxes listed below are checked
   
   

   Registry  Services  Drivers
   Processes  Internet  One month
   Addition.txt
   
   
   
    

8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
   Please remember to re-enable any Antivirus software when we are finished running scans
   
   Click Scan. The scan may take a few minutes to complete.
   
   
    

9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

• Scan completed. FRST.txt is saved in the same directory FRST is located.
  
  

• Addition.txt is saved in the same directory FRST is located.
  
  
   

• Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

 

 

Thanks

 

 

[Thedragoc]

45 minutes ago, AdvancedSetup said:

Good day, @Thedragoc

Neither one of these files are from the Farbar program.

 

This is what the program looks like and how to get it from a clean computer to put on USB disk to then use on the affected computer.

 

 

Please do the following so that we can get started and see what's going on.

The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

1. Download the Farbar Recovery Scan Tool
   Do not click on any Ads.
    
2. Locate the file you downloaded on your computer.
   Downloaded files are often saved to the Downloads folder.
    
3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.
   
   
    
4. A Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
   Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?
   
        a.  Click More info.
   
   
        b.  Click Run anyway.
   
   
5. When the User Account Control window appears, click Yes.
   
   
   
    
6. To accept the Disclaimer of warranty, click Yes.
   
   
   
    
7. Ensure only the boxes listed below are checked
   
   

   Registry  Services  Drivers
   Processes  Internet  One month
   Addition.txt
   
   
   
    

8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
   Please remember to re-enable any Antivirus software when we are finished running scans
   
   Click Scan. The scan may take a few minutes to complete.
   
   
    

9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

• Scan completed. FRST.txt is saved in the same directory FRST is located.
  
  

• Addition.txt is saved in the same directory FRST is located.
  
  
   

• Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directl

 

Hi AdvancedSetup, Here are the files requested. Please let me know if I am missing any additional files or anything I can do to assist you.

Addition.txt FRST.txt

[Thedragoc]

1 hour ago, Thedragoc said:

both files attached, file 1 is FRST.txt and file 2 is Addition.txt. Let me know if there issues with the files. Thanks

text.txt 5 kB · 3 downloads text 2.txt 5 kB · 2 downloads

These files got messed up during transfer, for some reason i decided to email them to my phone (since my computer does not run chrome or explorer)  and the names were changed 

[AdvancedSetup]

Thank you for the new logs. Yes, these are correct.

Is this a business computer?

Microsoft Windows 11 Enterprise Version 21H2 22000.739 (X64) (2022-01-16 20:56:02)

 

[AdvancedSetup]

I don't see an obvious infection that would cause this issue, but the Event Logs indicate that the User Profile is missing. User profile corruption is common but not finding the User Profile is not common.

 

 

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1505) (User: TEAMOS-PC)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the path specified.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: TEAMOS-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: TEAMOS-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1505) (User: TEAMOS-PC)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the path specified.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: TEAMOS-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: TEAMOS-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

 

 

It also looks like you're using ThrottleStop from TechPowerUp
Nothing wrong with running it, but it's installed into the Temp folder which is wrong. It should be uninstalled and if wanted reinstall and ensure the driver does not install to the Temp folder.

S3 ThrottleStop; \??\C:\Users\Owner\AppData\Local\Temp\ThrottleStop.sys [X] <==== ATTENTION

 

 

Can you try creating a NEW User profile?

 

[AdvancedSetup]

Is this the correct link to your Laptop?

https://mysupport.razer.com/app/answers/detail/a_id/3683/~/razer-blade-15”-advanced-(2019)-|-rz09-0301x-support

Blade-00000581-en.pdf

 

Edited June 30, 2022 by AdvancedSetup
Updated information

[Thedragoc]

8 hours ago, AdvancedSetup said:

I don't see an obvious infection that would cause this issue, but the Event Logs indicate that the User Profile is missing. User profile corruption is common but not finding the User Profile is not common.

 

 

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1505) (User: TEAMOS-PC)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the path specified.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: TEAMOS-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: TEAMOS-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1505) (User: TEAMOS-PC)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the path specified.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: TEAMOS-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: TEAMOS-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

 

 

It also looks like you're using ThrottleStop from TechPowerUp
Nothing wrong with running it, but it's installed into the Temp folder which is wrong. It should be uninstalled and if wanted reinstall and ensure the driver does not install to the Temp folder.

S3 ThrottleStop; \??\C:\Users\Owner\AppData\Local\Temp\ThrottleStop.sys [X] <==== ATTENTION

 

 

Can you try creating a NEW User profile?

 

Haha thanks for noticing throttlestop it is a fun and dangerous tool to use. I tried creating a NEW user profile through my console(pic attached) however I ran into some issues. Also that model is not my laptop. I can find the specific model number if you need it. I’m going to try and delete some of the unnecessary files now. 
 

I really appreciate your invested time and patience to help me, I am currently working full time and it’s hard to get around to solve this issue. Thanks again, -Drago

[Thedragoc]

9 hours ago, AdvancedSetup said:

I don't see an obvious infection that would cause this issue, but the Event Logs indicate that the User Profile is missing. User profile corruption is common but not finding the User Profile is not common.

 

 

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1505) (User: TEAMOS-PC)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the path specified.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: TEAMOS-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: TEAMOS-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1505) (User: TEAMOS-PC)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - The system cannot find the path specified.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: TEAMOS-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (06/28/2022 05:16:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: TEAMOS-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

 

 

It also looks like you're using ThrottleStop from TechPowerUp
Nothing wrong with running it, but it's installed into the Temp folder which is wrong. It should be uninstalled and if wanted reinstall and ensure the driver does not install to the Temp folder.

S3 ThrottleStop; \??\C:\Users\Owner\AppData\Local\Temp\ThrottleStop.sys [X] <==== ATTENTION

 

 

Can you try creating a NEW User profile?

 

:( I have been pwnd for sure. I clean temp folder a lot. (Last line) 

[Thedragoc]

Also when I see that the reason that the user profile can’t be loaded is changing a lot it looks like interference from a 3rd party in my opinion. I know I have said a lot but please let me know your thoughts as well. 
 

thanks -drago

[Thedragoc]

20 minutes ago, Thedragoc said:

Also when I see that the reason that the user profile can’t be loaded is changing a lot it looks like interference from a 3rd party in my opinion. I know I have said a lot but please let me know your thoughts as well. 
 

thanks -drago

I also found suspicious files and directories when I was scrubbing files by date using dir. the files I highlighted I deleted. However xaudio2_2.dll and xinput1_2.dll could not be found! Dun dun dun ghost files.

[AdvancedSetup]

The SRU is a valid normal folder that stores Resource Usage and other information.

Though we might be able to force repair the computer that probably isn't the best thing to do. I would suggest that you try to back up what data you can to an external USB drive.

Then using a USB thumb drive build a Windows 11 installer disk and do a CLEAN install of Windows 11. Then we can take steps to help prevent this from happening again, as well as using Macrium  Reflect to create master images so that you can always restore the computer within minutes if something happens again.

 

 

How to perform a clean install of Windows 11 https://answers.microsoft.com/en-us/windows/forum/all/how-to-make-clean-install-of-windows-11/789f6891-7261-4c40-a632-6a44e53a3e30

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you