What's new
Carbonite

South Africa's Top Online Tech Classifieds!
Register a free account today to become a member! (No Under 18's)
Home of C.U.D.

I need to bring in the BIG GUNS - persistent malware/spyware (need a security pro)

Status
Not open for further replies

Magnum-777

Member
Rating - 100%
19   0   0
Joined
Jan 7, 2019
Messages
128
Reaction score
41
Points
1,585
Age
48
Location
Randpark Ridge
Hi guys,

Over my life I've had the odd virus before, but what I got is NEXT level - I'm throwing in the towel, I'm just not equipped to deal with whatever the hell this.

First off, it's not just my PC - my other 2 PC's I'm 99% sure have it too - but I only have Log Proof on my main PC for now. I'm not ashamed to let people know that I do suffer from mental illness and have in the past had mental breaks that included paranoid delusions. But I see a psychiatrist, take my meds and have been stable for a number of years. Unfortunately, my family now thinks I'm a village idiot - my intellect is intact, I know my way around a PC and after 20 years you get a 'feeling' when something is off. In this case it was Task Manager - way too many processes and certain running apps/processes that I know just aren't part of a standard Win 10 (I'm on 11 now) install.

I started exploring my install drive and began finding 'breadcrumbs' - empty suspicious hidden folders containing only text log files and after reviewing them I knew something was off. But my antivirus said I was A-OK. So I decided to reinstall - off a DVD because my browser would sometimes do really strange redirects and I wanted an untouched install disc. Immediately after install right out the gate (no internet access) all the suspicous apps/services were running and after connecting to the web it was worse.

And look - I'm VERY aware of my mental illness. I UNDERSTAND how a paranoid delusion works, that I might be connecting dots and that I might have relapsed. But my family just never takes me seriously - it was decided my brother-in law would 'investigate thoroughly'. I TOLD him that in my opinion the antivirus progs were compromised and not to be trusted. So after a week the PC comes back and all he fucking did was update my BIOS, reinstall the machine and run antivirus, which I TOLD him wouldn't be enough. What I asked him to do was a forensic analysis but instead (because I'm 'unstable') he just did what a trained monkey could do.

Eventually I found a site called Bleeping Computer - their forum are security pros offering free analysis. They get you to scan your system using a prog called FARBAR, send them the logs and they take a deeper look. And SURPRISE SURPRISE I was right! They then write a 'fixlist' script which you run through FARBAR. After I ran the script, restarted and logged in my AV went NUTS - I was under an ARP poisoning attack. Like I said I'm not a security expert, they gave me advice on what to do, rerun the scan and send the logs. A second list of fixes were run. After sending them the results log they pronounced my PC clean.

It's a month later and I'm back where I started. I can't set my PC to not be part of a business network, there are group policies set in place restricting what I can do and a whole bunch of other things. Went back to Bleeping Computer, ran another fix script and the policies were gone and I could set my PC as 'not part of a business'. That joy lasted 2 hours. They put the group policies back in place and I was back as part of a business network.

GUYS - I'm begging for help. I'm even prepared to pay a security professional to take this PC away and do his thing.

On a personal note it's affecting my mental health BADLY. My PC is one of a very short list of things that bring me joy. I'm being monitored. I can't handle this much longer and I NEED THIS TO GO AWAY. I was out of work for 5 years. I've FINALLY landed a major contract and I'm getting my life (and self-respect) back on track. Like I said, if I have to pay someone to fix this I'll do it. But right now I'm miserable. I'll do anything just for someone to take me seriously and MAKE THIS GO AWAY.

Please help me. Carbie has never let me down, I love it here. I'm literally begging at this stage.
 
Hey, I'm no security expert, but some malicious elements may embed themselves in all sorts of places on your hdd, places that a format won't touch... (thus a reinstall won't help)

you'd have to wipe the drive with something like a live boot of a Linux distro, using something that will not only wipe and reinitialize but also overwrite your drive(to avoid data recovery), partition tables, etc. Basically, wipe and redo every aspect of the drive.

Should your virus be sophisticated, you'd need to do this to other machines that have been on your network too. (it might just reinfect the moment it connects).

Should the virus be really grand, it could potentially use other platforms to ly dormant, such as mobiles/routers etc.

Something like Stuxnet spread by many different means to eventually make it to its target systems.

That being said, which antivirus software have you been using, and have you been doing deep scans or start-up scans? Normal scans from the desktop cannot access all areas of your drive or even RAM, so a startup scan(before your OS locks the sections) is often required for the AV to have full, unrestricted access.

The main thing is, you need to secure your accounts, make sure to have 2FA set up etc on all your important accounts that should at least help keep them safe until you could figure this out.

Would you be able to post a bit of code from the scrips they sent you here? Not sure how trustworthy they are... You can open the script with notepad and you should be able to copy and paste the code.
 
Hey, I'm no security expert, but some malicious elements may embed themselves in all sorts of places on your hdd, places that a format won't touch... (thus a reinstall won't help)

you'd have to wipe the drive with something like a live boot of a Linux distro, using something that will not only wipe and reinitialize but also overwrite your drive(to avoid data recovery), partition tables, etc. Basically, wipe and redo every aspect of the drive.

Should your virus be sophisticated, you'd need to do this to other machines that have been on your network too. (it might just reinfect the moment it connects).

Should the virus be really grand, it could potentially use other platforms to ly dormant, such as mobiles/routers etc.

Something like Stuxnet spread by many different means to eventually make it to its target systems.

That being said, which antivirus software have you been using, and have you been doing deep scans or start-up scans? Normal scans from the desktop cannot access all areas of your drive or even RAM, so a startup scan(before your OS locks the sections) is often required for the AV to have full, unrestricted access.

The main thing is, you need to secure your accounts, make sure to have 2FA set up etc on all your important accounts that should at least help keep them safe until you could figure this out.

Would you be able to post a bit of code from the scrips they sent you here? Not sure how trustworthy they are... You can open the script with notepad and you should be able to copy and paste the code.
Hi, the scripts are benign - they're saved as txt files that FARBAR then executes. I just finished running a new scan (I had to do a system restore, long story) - FRST and Addition text files are the results. They then go away analyze it and give you script which you copy/paste into a txt called fixlist.txt. Once FARBAR is done it generates a fixlog to review.

I don't see a way to attach the logs to this post though
 
Here's a fixlist they asked me to run:

start

Comment: All processes will be force closed, System Protection will be enabled
Comment: New Restore Point will be created, All network proxies will be removed
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:

Comment: Items from the FRST.TXT log that will be removed from the Registry.
HKU\S-1-5-21-699777846-2967273858-3915955917-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
HKU\S-1-5-21-699777846-2967273858-3915955917-1001\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {EE128E8E-39EE-4F76-80D1-6528AB331F76} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe (No File)
S3 cpuz152; \??\C:\Windows\temp\cpuz152\cpuz152_x64.sys [X]

Hosts:
cmd: pushd\windows\system32
cmd: net stop bits
cmd: net stop cryptSvc
cmd: net stop wuauserv
cmd: net stop msiserver
cmd: del /s /q C:\Windows\SoftwareDistribution\download\*.*
cmd: net start cryptSvc
cmd: net start bits
cmd: net start wuauserv
cmd: net start msiserver
cmd: sfc /scannow
cmd: DISM.exe /Online /Cleanup-image /Restorehealth
cmd: sfc /scannow
StartBatch:
del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*"
NETSH winsock reset catalog
NETSH int ipv4 reset reset.log
NETSH int ipv6 reset reset.log
ipconfig /release
ipconfig /renew
ipconfig /flushdns
ipconfig /registerdns
net start sdrsvc
net start vss
net start rpcss
net start eventsystem
net start mpsdrv
net start bfe
net start MpsSvc
net start winmgmt
netsh winhttp reset proxy
netsh interface IP delete arpcache
Bitsadmin /Reset /Allusers
cmd: winmgmt /verifyrepository
Endbatch:
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON

Comment: The system will restart.
Reboot:

End
 
Here's a LONG list that FARBAR generates in the initial scan ( I can't post the whole thing) probably size)

Platform: Microsoft Windows 11 Pro Version 21H2 22000.593 (X64) Language: English (United Kingdom)
Default browser: FF
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\Program Files (x86)\ASUS\ArmouryDevice\asus_framework.exe ->) (ASUSTeK COMPUTER INC. -> ) C:\Program Files (x86)\ASUS\ArmouryDevice\dll\SwAgent\ArmourySwAgent.exe
(C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ArmourySocketServer\ArmourySocketServer.exe ->) (ASUSTeK COMPUTER INC. -> ASUS) C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ArmourySocketServer\ArmouryWebBrowserEdge.exe
(C:\Program Files (x86)\Steam\steam.exe ->) (Valve Corp. -> Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe <4>
(C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\wallpaper32.exe ->) (Skutta, Kristjan -> ) C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\webwallpaper32.exe <5>
(C:\Program Files\ASUS\ARMOURY CRATE Lite Service\ArmouryCrate.Service.exe ->) (ASUSTEK COMPUTER INCORPORATION -> ASUSTeK COMPUTER INC.) C:\Program Files\ASUS\ARMOURY CRATE Lite Service\ArmouryCrate.UserSessionHelper.exe
(C:\Program Files\ESET\ESET Security\ekrn.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\eguiProxy.exe
(C:\Program Files\ESET\ESET Security\ekrn.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\eOppFrame.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe
(C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_421.20070.95.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\100.0.1185.29\msedgewebview2.exe <6>
(CHENGDU YIWO Tech Development Co., Ltd. -> ) [File not signed] C:\Program Files (x86)\EaseUS\EaseUS Partition Master 12.10\bin\TrayPopupE\TrayTipAgentE.exe
(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\99.0.1150.55\msedgewebview2.exe <6>
(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE
(explorer.exe ->) (nordvpn s.a. -> TEFINCOM S.A.) C:\Program Files\NordVPN\NordVPN.exe
(explorer.exe ->) (Skutta, Kristjan -> ) C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\wallpaper32.exe
(explorer.exe ->) (Valve Corp. -> Valve Corporation) C:\Program Files (x86)\Steam\steam.exe
(hvsimgr.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\hvsirdpclient.exe
(hvsimgr.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\hvsirpcd.exe
(Mozilla Corporation -> Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe <10>
(Nvidia Corporation -> Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(Power Software Limited -> Power Software Ltd) C:\Program Files\PowerISO\PWRISOVM.EXE
(services.exe ->) (Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(services.exe ->) (ASUSTeK Computer Inc. -> ) C:\Windows\System32\AsusUpdateCheck.exe
(services.exe ->) (ASUSTeK Computer Inc. -> ASUSTek COMPUTER INC.) C:\Program Files (x86)\ASUS\AsusCertService\AsusCertService.exe
(services.exe ->) (ASUSTeK Computer Inc. -> ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsusFanControlService\2.01.12\AsusFanControlService.exe
(services.exe ->) (ASUSTeK Computer Inc. -> ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AXSP\4.02.12\atkexComSvc.exe
(services.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTek COMPUTER INC.) C:\Program Files (x86)\ASUS\ROG Live Service\ROGLiveService.exe
(services.exe ->) (ASUSTeK Computer Inc. -> ASUSTek Computer Inc.) C:\Program Files (x86)\LightingService\LightingService.exe
(services.exe ->) (ASUSTEK COMPUTER INCORPORATION -> ASUS Inc.) C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
(services.exe ->) (ASUSTEK COMPUTER INCORPORATION -> ASUSTeK COMPUTER INC.) C:\Program Files\ASUS\ARMOURY CRATE Lite Service\ArmouryCrate.Service.exe
(services.exe ->) (DESlock Limited -> DESlock Limited.) C:\Program Files\ESET\ESET Secure Data\dlpsrv.exe
(services.exe ->) (DTS, Inc. -> ) C:\Windows\System32\DTS\PC\APO3x\DTSAPO3Service.exe
(services.exe ->) (ESET, spol. s r.o. -> ESET) C:\Program Files\ESET\ESET Security\ekrn.exe
(services.exe ->) (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\System32\WirelessKB850NotificationService.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2202.4-0\MsMpEng.exe
(services.exe ->) (nordvpn s.a. -> TEFINCOM S.A.) C:\Program Files\NordUpdater\NordUpdateService.exe
(services.exe ->) (nordvpn s.a. -> TEFINCOM S.A.) C:\Program Files\NordVPN\nordvpn-service.exe
(services.exe ->) (Nvidia Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe <2>
(services.exe ->) (Nvidia Corporation -> NVIDIA Corporation) C:\Windows\System32\DriverStore\FileRepository\nv_dispig.inf_amd64_c0e159863e7afdde\Display.NvContainer\NVDisplay.Container.exe <2>
(services.exe ->) (Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_e8d71250669d562e\RtkAudUService64.exe <2>
(services.exe ->) (Valve Corp. -> Valve Corporation) C:\Program Files (x86)\Common Files\Steam\steamservice.exe
(svchost.exe ->) (ASUSTeK Computer Inc. -> ) C:\Program Files\ASUS\KINGSTON_Aac_DRAM\AacKingstonDramHal_x64.exe
(svchost.exe ->) (ASUSTeK Computer Inc. -> ) C:\Program Files\ASUS\KINGSTON_Aac_DRAM\AacKingstonDramHal_x86.exe
(svchost.exe ->) (ASUSTeK COMPUTER INC. -> ASUS) C:\Program Files (x86)\ASUS\ArmouryDevice\dll\AcPowerNotification\AcPowerNotification.exe
(svchost.exe ->) (ASUSTeK COMPUTER INC. -> ASUS) C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ArmourySocketServer\ArmourySocketServer.exe
(svchost.exe ->) (ASUSTeK Computer Inc. -> ASUSTek Compputer Inc.) C:\Program Files\ASUS\AacMB\Aac3572MbHal_x86.exe <2>
(svchost.exe ->) (ASUSTeK COMPUTER INC. -> ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ArmouryDevice\asus_framework.exe <4>
(svchost.exe ->) (ASUSTeK Computer Inc. -> ASUSTeK Computer Inc.) C:\Program Files\ASUS\AacExtCard\extensionCardHal_x86.exe
(svchost.exe ->) (ASUSTeK Computer Inc. -> ASUSTeK Computer Inc.) C:\Program Files\ASUS\ASUS_Aac_DRAM\Aac3572DramHal_x86.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <2>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\hvsimgr.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\UUS\amd64\MoUsoCoreWorker.exe
(svchost.exe ->) (Microsoft Windows) C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_421.20070.95.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe
(vmcompute.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\Windows\System32\vmwp.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Security\ecmds.exe [167496 2022-01-13] (ESET, spol. s r.o. -> ESET)
HKLM\...\Run: [RtkAudUService] => C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_e8d71250669d562e\RtkAudUService64.exe [1350240 2021-09-16] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files\PowerISO\PWRISOVM.EXE [460432 2021-11-04] (Power Software Limited -> Power Software Ltd)
 
Give Hitman Pro a try as well

It's meant to remove viruses after you've been infected. See if it shows anything and if it can remove them
+1 also use hitman pro when i feel my pc needs a good clean
 
Use a completely separate and safe computer and make a bootable usb with linux on it, for the extra paranoid use a dvd rom disc. With the network disconnected and all optional drives removed, boot into the linux system on the usb/dvd and use the dd command to completely wipe the target boot disk,


Use either the zeroing option or the random data option. For the extra paranoid, when done shutdown the pc, remove power, and then physically remove all the ram sticks for a few hours to clear the dram, then reinstall. Then using the separate pc, download and make a bootable windows usb/dvd and use that to do the install. Use the separate pc and a usb to also download and install the latest anti virus with the latest virus definitions, and if possible the latest windows updates. Once all that is done, set your firewall to block all inbound connections, programs, and all ports, connect the pc to the network, and then in the firewall open the necessary ports/connections one by one. Reconnect any optional drives one by one after a scan.

Repeat for all computers, make sure all other network devices that has memory like network printers are disconnected.
 
I work in Cyber Security. 17 years :)

I see you are running malwarebytes. That should catch the typical automated spyware stuff. The AV should catch known "automated attacks". Just make sure you patch windows and your 3rd party apps. Patch your router firmware. Agree with blocking inbound traffic as well. Most importantly, stay away from torrents and p2p apps or high risk internet activities. Use quad9 for DNS queries. Do this on all devices in your home network.

If you want to be extra safe download the benchmark for CIS hardening. Select your operating system and apply those controls.

This should take care of automated malware and spyware or even low skilled targeted attacks. Its highly unlikely that a medium skilled threat actor and up would target you. If you work for a company that could make you a target they would have given you a conpany laptop to work from. That laptop should have the required logging and expesive tools to detect targeted attacks. Hope this help and all the best for you mental health! Stay safe
 
@Magnum-777 FYI most AV's have a bootable AV - also check out COMSS bootable ISO.

I've heard of shit being embedded in HDD firmware but that's not typical stuff as far as I know.
 
Downgrade, maybe XP, Clean install 7, 10, 11 after that. Backing up your dox works, but still may be infected. Also norton does seem to clean a drive pretty good.
Hiren
 
Couple of things I can think of, apologies if this was mentioned above but I skipped over some answers from others here:

This might be a rootkit these are pretty nasty to get rid of, some steps you might take:
Power off your PC, remove power cable, remove RAM and CMOS Battery, leave out for 10-15 minutes, plug everything back in and run your clean script see if this maybe gets it out if its just a persistent rootkit.

if its maybe a more advanced one:
Re-flash your motherboards bios to the latest manufacturer version, this should purge out any nasties that are embedded into your hardware. (this is different to an update and is a more advanced step, it entails completely purging your CMOS memory of everything and then loading the BIOS back on) would only recommend this as a nuclear option.

also ensure that any installation media you have used is valid, download fresh ISO's from reputable sources ensure that the signatures are the same when they land, Ideally any downloads you do should be on a system you trust.
 
Hey there dude.

First off, let me start by saying that you being worried about stuff is not necessarily attributable to paranoid delusions.

I've read through your posted logs and I'm not seeing anything in the running processes that concern me, all of the reported services and applications are familiar to me. Windows 10 and 11 operate vastly differently to how the predecessors used to, and therefore there will be files and directories, together with some oddly named processes, that we won't be able to identify just by using past experience. An example would be something like AArSvc_1ff3414f which is a child service created for the Agent Activation Runtime. It receives a random process name so that a targeted attack by malware is mitigated somewhat. There are several such services that make use of this technique, such as CDPUserSvc, ConsentUxUserSvc and DevicePickerUserSvc

These are parts of what automates stuff inside Windows, or prompts a user for administrative access when an app is trying to modify the core system files or registry. They're useful, not harmful.

That said, there are pieces of malware, such as BIOS Rootkits, that do not operate inside Windows but sits outside of it. These are hard to detect and even harder to remove - Sometimes impossible. To detect these, one needs to dump the system BIOS and search through it with a hex viewer, something that not a lot of folks know how to do.

I live fairly close to you, and I'm willing to help you out with some in depth scans and BIOS analysis if you are up for it. It will take a couple of days, and I'll have to take out your hard drives to scan them on a machine that is independent to your use and data. While I don't have the pinpoint expertise of say an engineer at MWR, DaVinci or Redshift, I can offer you some peace of mind that I will be more comprehensive than just installing some random piece of software and running a scan from there.
 
Last edited:
Hey there dude.

First off, let me start by saying that you being worried about stuff is not necessarily attributable to paranoid delusions.

I've read through your posted logs and I'm not seeing anything in the running processes that concern me, all of the reported services and applications are familiar to me. Windows 10 and 11 operate vastly differently to how the predecessors used to, and therefore there will be files and directories, together with some oddly named processes, that we won't be able to identify just by using past experience. An example would be something like AArSvc_1ff3414f which is a child service created for the Agent Activation Runtime. It receives a random process name so that a targeted attack by malware is mitigated somewhat. There are several such services that make use of this technique, such as CDPUserSvc, ConsentUxUserSvc and DevicePickerUserSvc

These are parts of what automates stuff inside Windows, or prompts a user for administrative access when an app is trying to modify the core system files or registry. They're useful, not harmful.

That said, there are pieces of malware, such as BIOS Rootkits, that do not operate inside Windows but sits outside of it. These are hard to detect and even harder to remove - Sometimes impossible. To detect these, one needs to dump the system BIOS and search through it with a hex viewer, something that not a lot of folks know how to do.

I live fairly close to you, and I'm willing to help you out with some in depth scans and BIOS analysis if you are up for it. It will take a couple of days, and I'll have to take out your hard drives to scan them on a machine that is independent to your use and data. While I don't have the pinpoint expertise of say an engineer at MWR, DaVinci or Redshift, I can offer you some peace of mind that I will be more comprehensive than just installing some random piece of software and running a scan from there.
Hi man, that would definitely be appreciated - I noticed something after a forced reinstall last weekend. I think my hacked Gmail is some kind of Trojan Horse or something. I noticed that as soon as I set up my personal Chrome with the old "bad"gmail something odd happens - I get Chrome and an old internet explorer icon engaging in some sort of traffic. Disconnect the "bad account" behaviour stops. Dont ask me how, but there's possibly a Chrome extension or something they smuggled in that engages when Chrome sets up for me.

But I would really appreciate a top to bottom inspection, if you're still up for it!
 
I've got a secondary PC I can work off in the meantime, happy to pay travel expenses or any outlay you need to make! Having complete trust in my PC again would mean a lot!
 
Hi man, that would definitely be appreciated - I noticed something after a forced reinstall last weekend. I think my hacked Gmail is some kind of Trojan Horse or something. I noticed that as soon as I set up my personal Chrome with the old "bad"gmail something odd happens - I get Chrome and an old internet explorer icon engaging in some sort of traffic. Disconnect the "bad account" behaviour stops. Dont ask me how, but there's possibly a Chrome extension or something they smuggled in that engages when Chrome sets up for me.

But I would really appreciate a top to bottom inspection, if you're still up for it!
If you have your Chrome browser configured to sync extensions, then it is possible that some rogue extensions are pulling down.

Of course, my offer still stands. Drop me your number in DM and we'll set something up.
 
@Magnum-777 You state that you use the PC for work. What do you need for it to work?
Maybe for your health reasons think of switching to something like Linux or macOS, which is a lot hardier when it comes to malware.

For health reasons I would suggest staying away from GNU/Linux. Spending 20 minutes typing commands to change your wallpaper just isn't for everyone. (I daily drive Debian so I'm allowed to shit on Unix nerds.)
 
For health reasons I would suggest staying away from GNU/Linux. Spending 20 minutes typing commands to change your wallpaper just isn't for everyone. (I daily drive Debian so I'm allowed to shit on Unix nerds.)
Eish you are making it sound so bad... Are you one of those "I just use a wm, not a de" type people?
 
Gnome because I drive 2x ultrawides and come from macOS
Bruh, both kde and gnome refuse to give me my ultrawide res. Had to write a little script that runs on boot to invoke xrandr which only then gives me 2560x1080,and only at 60hz. Refuses to work on 75hz.

Linux is very much a love hate relationship
 
For health reasons I would suggest staying away from GNU/Linux. Spending 20 minutes typing commands to change your wallpaper just isn't for everyone. (I daily drive Debian so I'm allowed to shit on Unix nerds.)
Well, maybe Debian is the problem ;). I put my mom on elementary and it has been great. She can do her emails (Thunderbird) and her browsing (Chrome). And I don't ever have to worry about her clicking on a link or anything like that.

Also, I have a couple of Debian servers around, PopOS as my daily work machine. (I work in browser 90% of the time.)
 
Well, maybe Debian is the problem ;). I put my mom on elementary and it has been great. She can do her emails (Thunderbird) and her browsing (Chrome). And I don't ever have to worry about her clicking on a link or anything like that.

Also, I have a couple of Debian servers around, PopOS as my daily work machine. (I work in browser 90% of the time.)

Big fan of Elementary and their work grabbing some OS marketshare from systems running between XP and Win8 :p
 
@Magnum-777 You state that you use the PC for work. What do you need for it to work?
Maybe for your health reasons think of switching to something like Linux or macOS, which is a lot hardier when it comes to malware.
Like I've said before, I'm very familiar with Tech and erasing data, but I'm convinced wherever it has settled in there are specific EFI sets that it pulls up as soon as it detects what you're installing. I'm talking about watching in real-time as it completely devoured Parrot Linux.

Actively interfering got the new Admin pissed and my keyboard and mouse were locked while it made itself comfy...
 
Couple of things I can think of, apologies if this was mentioned above but I skipped over some answers from others here:

This might be a rootkit these are pretty nasty to get rid of, some steps you might take:
Power off your PC, remove power cable, remove RAM and CMOS Battery, leave out for 10-15 minutes, plug everything back in and run your clean script see if this maybe gets it out if its just a persistent rootkit.

if its maybe a more advanced one:
Re-flash your motherboards bios to the latest manufacturer version, this should purge out any nasties that are embedded into your hardware. (this is different to an update and is a more advanced step, it entails completely purging your CMOS memory of everything and then loading the BIOS back on) would only recommend this as a nuclear option.

also ensure that any installation media you have used is valid, download fresh ISO's from reputable sources ensure that the signatures are the same when they land, Ideally any downloads you do should be on a system you trust.
Thanks, this was useful - Don't care about how crazy this sounds, But I'm convinced that's where the reinfection comes....I've read the white papers on this, essentially Nvidia runs the same VBIOS chip despite some needing less space. Apparently (in theory) the virus can utilize the stack of free real of space to load up defenses against multiple OS versions - Linux, whatever. I don't think I'm special, but this 1080ti has BAD juju rnrtgy...
 
Status
Not open for further replies

Users who are viewing this thread

Back
Top Bottom