Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows 10 machine likely infected.

  • Please log in to reply
3 replies to this topic

#1 Eunone


  • Members
  • 6 posts
  • Local time:01:18 PM

Posted 02 January 2016 - 03:20 PM

Hello. I have created an account in that forum explicitely to get help with a likely infection (or more than one).

I think I got a nasty infection... but I will start by the beginning. I got a computer who was used by another person for some years. That person was careless and the computer was infected by some toolbars between them ask toolbar, mystart toolbar, babylon toolbar and maybe more, to be honest I don't quite remember but probably some pups (that was more than one year ago). Started to get worried actually when entering into amazon and finding that there was an add in asiatics and arabs languages to the left of the window, making me unable to see the photos of the products (and it was in every product...).

Therefore I first used malwarebytes to clean the infection of those toolbars (there were some in explorer and at least one in firefox too and the adds in amazon dissappeared) but after a few months I decided to check more carefully given the fact that the computer was still slowing down. So I entered in safe mode and checked the computer with malwarebytes antimalware premium and some tools like adwcleaner JRT and I think I used back then aswmbr and rkill. I tried aswell to use eset smart but the computer was almost frozen when using the tool so I could not use it. Eset would not find a thing when scanning in normal mode which to be honest was very disappointing. (that was like one year ago) but the other tools seemed to desinfect those toolbars.

Months later while surfing I got into a website which was the usually really scary ransomware... what a good luck mine aye? Firefox could not be closed except by closing it with the task manager...

I am not sure if that caused me an infection, but firefox was protected by https everywhere, ghostery and adblock plus, and I got eset and malwarebytes too and they showed up nothing.

Back then I updated java after a new update appeared and I had to unistall it because everytime that I booted the computer 7000 process would show up, consuming all the resources of windows during some minutes. I uninstalled it and used javaRa to remove it completely.

After that I tried to use Gmer to check if there were some rootkits and for a moment it showed up a lot of them, then the computer restarted with a fail drivers bluescreen. However given the fact that I did not know how Gmer worked I was not sure if what I saw was real... I think now that what I saw was real. Anyway I tried a few times again and eventually nothing showed up without really deleting anything by myself.

Anyway after a while I realized I could be still infected so thinking there could be still some traces (given the fact that last time I thought that way too) I started to see the registry and started to delete stuff. Between them there were still some keys belonging to mystart toolbar. So, I deleted them.

Because all of this problems I decided to upgrade to windows 10. I was back then using windows 7.

After upgrading to Windows 10 I got some problems with the windows store and some apps after installing some updates of the windows operative system, so I had to erase the account which means loosing almost all the information and to pass some programs I backed up from an external disk.

Well after that I had to repair my computer 3 times, after petty problems happened which to be honest I found odd, including a newly bought graphic card getting broken just only after 3 months of buying it. After getting a new one, I realized of 2 things: my new graphic card was an ati but the drivers of the broken graphic card was an nvidia and the drivers were still in the computer. I however, had disable them at windows start. Even so, the drivers would still load up and even after finishing the process through task manager they would reapper. That was really odd. I finish them and at different times they appear again, I finish them again, and lastly I finish them all again and only one of the components appear again. (when I realized, got the new gfx some days ago) After finishing that last process again it did not showed up till hours later.

So I decided to install Security task manager after seeing some fast letters appearing in my monitor, which could mean someone had either ratted me and installed a program similar to a subliminal message program (or maybe a function of the rat,botnet, rootkit or whatever it could be) or maybe I got some kind of worm.

After installing Security task manager a program called failed appeared. The program said that it had an invisible window and showed up in "my computer", that is, where the letter C:/ and others appear, but the program was not able to be found. The PID showed up as 4512 and I can't be sure that program could be part of the infection or the infection itself given the fact that I could not see it (as I say the program was not able to be found but security task manager pin pointed to "my computer" that is, where the letter C:/ and others appear).

After exiting security task manager and realizing of that failed program I closed and used it again and the failed program would not appear.

Another thing, when I go to the tab share (that is, the share with other accounts tab) apart from the ASP.NET Machine Account there are some other accounts, fbwuser 01EC fbwuser08F8, fbwuser35CE, fbwuserBF75, fbwuserD02D and fbwuserE543. There is only an admin account if I check in the settings accounts though, and I had read that they could be part of a program but to have 6 fbwuser accounts seems really weird. I have read too that one of those fbwuser accounts could be from hotspot shield, a proxy that I used in the past but I can't be sure of the others (still I upgraded to windows 10 and erased the account, so seems odd it is still there). I have uploaded the accounts that show up in the registry using gmer... the only way that I could check them, they show up as red and I can´t delete them, nor in safe mode. In normal mode they don´t show up in the registry.

Another thing, I do not know if it is something odd or not but there is a process called dwm.exe and in the name of user tab it says DWM-2, I wonder why it is not DWM instead of DWM-2. When entering into safemode though, it was DWM-1 instead. After exiting of safe mode it changed already to DWM-1. Guess it´s nothing odd anyway.

And finally sometimes when I start the computer malwarebytes antimalware does´nt start. And other times it starts up again with windows without touching a thing.

That was all that I intended to write but in the last days I made some more stuff. I downloaded sysinternal tools, and checked some stuff in it. Between them there were 4 codecs that belongs to the ati drivers which show up in red and certain information (Description of the file, version of the file, name of product, version of product, copyright and language) was missing in the files which leads me to believe that the person or probably persons who are running the, as time passes less ammount of infections, could have simply infected them on purpose so they could do stuff like that of writing fast letters to me. Also... I initially had been using an onboard graphic card but the computer also had an nvidia graphic card from 2006, a graphic card intended for an older computer which was never used. Sometimes the onboard graphic card would switch to the nvidia for no reason. One day it fried. First time I had to send the computer to repair. Given the fact that the nvidia gfx was really old I decided to buy a new one. The drivers of the old graphic card and the new graphic card both, showed up in the system of eset with a dangerous rating of 6, that is, some as dangerous and red but only for a few days or weeks. That could mean they could have infected the drivers on purpose.

Using Eset Sysinspector certain files appeared in red (rating of 7 and 6 over 9, the higher the number the more dangerous), most of them in the folder native images, but they could never be accesible, they would point to the correct folder but upon trying to go to the folder windows would not find it never. Yesterday they showed up finally but of course no antivirus says they are infected. One in two different smsvchost.exe (native images as smsvchost.ni.exe and native images as SMSvcHost.exe; rating of 7 both) one in mom.exe (native images as mom.ni.exe; rating of 6) one in ccc.exe (native images as ccc.ni.exe, rating of 6), these last two are files of the drivers.


So... summarizing: My windows 10 computer had high usages in the cpu, ram, and cpu though lately it is mainly the gpu and the ram and cpu stay fairly quiet. It could be a rat rootkit, etc etc, and they could be sending messages at a fast peace to mess up my mind (I certainly got a headache last time I saw those fast letters). They could have been infecting the drivers of the graphic card.

The infection could be one of the reasons my last graphic card got broken too.

Malwarebytes antimalware premium doesn´t find a thing and Eset Smart Security doesn't find a thing neither although I can´t check it in safe mode because it gets frozen.

Also Malwarebytes antimalware premium stops starting at the start up for no logical reason. And other times it starts up again with windows without touching a thing.

Malwarebytes Anti-Rootkit and Gmer showed up nothing.

Sysinternals shows up the autorun entry GatherNetworkInfo.vbs in red, though I don't know if that could mean a thing.

Eset SysInspector shows up 4 files in red (danger rating 7 and 6) beeing smsvchost.ni.exe and SMSvcHost.exe in 7 and mom.ni.exe and ccc.ni.exe in 6. all of them in the native images folder.

Here is the screenshot of gmer showing up multiple odd user accounts http://postimg.org/image/ln9f5birr/

My computer is windows 10 home 64 bits.


PostData: It has happened in the past to me that after copy pasting something and pasting it somewhere the copy pasted text before that one appeared again. So, imagine it, you copy certain text, paste it, then copy another text, paste it, and when you are going to paste it again instead of pasting that text you copied it shows up the other before that one... in fact it has happened to me some minutes ago. Could be paranoia or a bug but... there I leave it.


So... I guess it seems a bit odd what I am writing but I am tire of that computer and before formatting completely C:/ I would try to check the infection.


Excuse my english, as I am not a native english speaker and the very long wall of text but I wanted to write everything as it happened.

Edited by Eunone, 02 January 2016 - 04:38 PM.

BC AdBot (Login to Remove)



#2 Jo*


  • Malware Response Team
  • 3,269 posts
  • Gender:Male
  • Location:Germany
  • Local time:01:18 PM

Posted 03 January 2016 - 10:27 AM

Sorry, but it seems that your pc is infected with a virus or malware which is going to take some more work and a deeper look. No sense running a bunch of tools here.
Please follow this Preparation Guide, post in a new topic and include a link to this thread.

Let me know if all went well.

Graduate of the WTT Classroom
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.

#3 MDD1963


  • Members
  • 685 posts
  • Local time:09:18 PM

Posted 03 January 2016 - 08:19 PM

YOu could fight for 32 hours running an array of tools multiple times, sifting through scan results, or, in a single hour or so you could...


Wipe and reload

Nuke and Pave



Choose any of the above to be sure....!

Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060

#4 Eunone

  • Topic Starter

  • Members
  • 6 posts
  • Local time:01:18 PM

Posted 06 January 2016 - 02:46 PM

Doing that now MDD1963 :smash: 


The thread can be closed.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users