Jump to content

Need help with potentially compromised system


Recommended Posts

Hi there, I have been worried about my system being compromised for quite a while. Just strange events happening every now and then. I have run my anti virus software and it has found nothing, i also downloaded the free ESET scanner which found nothing. I have a lot of tasks in my task bar that i am not sure about and would appreciate any help finding out if there is anything wrong with my system.

The main thing that worries me is the amount of SVChost processes i have running, here is a list i printed in the windows terminal. Does anything here look odd?

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1328 BrokerInfrastructure, DcomLaunch, PlugPlay,
                                   Power, SystemEventsBroker
svchost.exe                   1428 RpcEptMapper, RpcSs
svchost.exe                   1472 LSM
svchost.exe                   1800 nsi
svchost.exe                   1812 NcbService
svchost.exe                   1820 TimeBrokerSvc
svchost.exe                   1876 Schedule
svchost.exe                   1896 netprofm
svchost.exe                   1984 hidserv
svchost.exe                   1344 ProfSvc
svchost.exe                   2100 UserManager
svchost.exe                   2196 Dnscache
svchost.exe                   2272 DevQueryBroker
svchost.exe                   2304 CoreMessagingRegistrar
svchost.exe                   2524 StateRepository
svchost.exe                   2608 DispBrokerDesktopSvc
svchost.exe                   2652 EventLog
svchost.exe                   2680 Themes
svchost.exe                   2688 SysMain
svchost.exe                   2696 EventSystem
svchost.exe                   2824 SENS
svchost.exe                   2940 AudioEndpointBuilder
svchost.exe                   2948 FontCache
svchost.exe                   2628 Winmgmt
svchost.exe                   3316 Audiosrv
svchost.exe                   3352 TextInputManagementService
svchost.exe                   3668 Dhcp
svchost.exe                   3676 Wcmsvc
svchost.exe                   3684 DusmSvc
svchost.exe                   3872 WinHttpAutoProxySvc
svchost.exe                   4012 WlanSvc
svchost.exe                   4060 ShellHWDetection
svchost.exe                   4068 CryptSvc
svchost.exe                   4376 LanmanServer
svchost.exe                   4692 DeviceAssociationService
svchost.exe                   4984 NlaSvc
svchost.exe                   4484 BFE, mpssvc
svchost.exe                   1112 TokenBroker
svchost.exe                   5416 LanmanWorkstation
svchost.exe                   5460 CDPSvc
svchost.exe                   5924 SSDPSRV
svchost.exe                   6080 RmSvc
svchost.exe                   5280 Appinfo
svchost.exe                   7068 DiagTrack
svchost.exe                   7076 DPS
svchost.exe                   7084 IKEEXT
svchost.exe                   7092 iphlpsvc
svchost.exe                   7100 TrkWks
svchost.exe                   7116 WpnService
svchost.exe                   9064 wscsvc
svchost.exe                   9924 camsvc
svchost.exe                  11456 lmhosts
svchost.exe                  12428 webthreatdefsvc
svchost.exe                   8936 PolicyAgent
svchost.exe                   6624 NcdAutoSetup
svchost.exe                   6708 fdPHost
svchost.exe                  13052 FDResPub
svchost.exe                  13116 InstallService
svchost.exe                  15300 SstpSvc
svchost.exe                  15512 RasMan
svchost.exe                  16104 UsoSvc
svchost.exe                  16172 WaaSMedicSvc
svchost.exe                  14544 PcaSvc
svchost.exe                  18180 XblAuthManager
svchost.exe                  18240 LicenseManager
svchost.exe                   7672 QWAVE
svchost.exe                  13272 OneSyncSvc_4a7a6
svchost.exe                  12356 DoSvc
svchost.exe                   5044 StorSvc
svchost.exe                  20824 W32Time
svchost.exe                  18500 lfsvc
svchost.exe                  18324 webthreatdefusersvc_4a7a6
svchost.exe                   1636 cbdhsvc_4a7a6
svchost.exe                   2712 UdkUserSvc_4a7a6
svchost.exe                  20048 NPSMSvc_4a7a6
svchost.exe                   4388 WpnUserService_4a7a6
svchost.exe                   5756 gpsvc
svchost.exe                  11148 AppXSvc
svchost.exe                  10324 wuauserv
svchost.exe                  10308 DsSvc
svchost.exe                  12096 ClipSVC
svchost.exe                  16824 WdiSystemHost
svchost.exe                  21324 DisplayEnhancementService

Thanks in advance

Link to post
Share on other sites

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove pesky malware.

Please respond to all future instructions from your helper in a timely manner.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • image.png.79d4442a821713608fa60808a98c2e69.png
  • image.png.98d86a6c3017d2bbba48877ea4f6ba45.png
  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply
Link to post
Share on other sites

There is no malware in those logs. Just orphan entries.

  • Download the enclosed file  Fixlist.txt
  • Start FRST (FRST64) with Administrator privileges (FRSTEnglish.exe) (C:\Users\Cal\Downloads\FRSTEnglish.exe)
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

 

Edited by JSntgRvr
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.