Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown User Accounts


  • Please log in to reply
No replies to this topic

#1 HomeDipo

HomeDipo

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 27 August 2016 - 02:13 AM

Hello,
I made a rookie mistake with a file I downloaded and as soon as I opened the exe file it just was an obvious virus. After looking into things I found multiple conhost.exe services running in task manager as well as two csrss.exe files running. The 2 csrss.exe files are both running from SYSTEM even in safe mode. As for conhost.exe there are multiple running from my user account as well as one from SYSTEM. In safe mode I only found one conhost.exe to be running and that was running from my user account. When looking at windows process dump I followed a couple trails and found folders within Program Files/WindowsApps (including the WindowsApps folder) that I couldn't not open as an administrator. Ownership was given to certain unknown accounts with SID's that didn't match any of the accounts showing up in powershell with the following command: gwmi Win32_UserAccounts -computername"." -filter "LocalAccout=true"

So I have accounts that I know nothing about able to read write and execute sensitive files. Can I assume this is the work of a virus?

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users