Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Viruses (windows 10 64bit)


  • Please log in to reply
5 replies to this topic

#1 ryan12313

ryan12313

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 14 October 2016 - 03:15 AM

I've been having all kinds of issues since my computer auto updated to windows 8.1 even though I had windows update disabled, and again to windows 10 recently. I cant even boot my computer without doing a series of bullbleep that takes about 15 minutes. I don't know where to begin so I'm just going to list all of the stuff that I know of.

 

there is two user accounts I don't recognize other than mine named piress and xiaojiing or something like that, malwarebytes and other scanners found w32remant, w32venik, rasmedia.dll, w32/baidu, "stronghold antimalware" (this might be a legitimate program but I never downloaded it), probably some more I'm forgetting

 

My most recent issue is this file I found running in the background that was clearly given a random name as a google search leads to no results, and given that it was using over 2gb of memory, it's clearly malicious, the executable has some weird skull icon as if to send a message, making me think it could be a keylogger or RAT of some sort. I've attached images of the exe and the service name it was running under. I hope someone can help me.

 

I tried running FRST however nothing happens when I open it (process idles) It may have something to do with "consent UI for administrative action" being corrupted.

Attached Files


Edited by hamluis, 14 October 2016 - 07:21 AM.
Moved from MRL to Am I Infected, no logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 PM

Posted 14 October 2016 - 09:55 AM

Welcome, these are Backdoor infections so I must first tell you this.

 

Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection was identified and removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system
Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


I cannot make this decision for you as to what to do. I am just providing information so you are aware and can make an informed decision but as a minimum, you should change all passwords.

 


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 14 October 2016 - 03:07 PM

I appreciate the quick response, given my suspicions I've already ensured any financial or otherwise sensitive information has been secured, unfortunately the sql server I've been working on for over half a year is completely ruined and I've lost hundred of hours of work, that's the most upsetting part. That's what I get for not making backups I guess. If I were to format would you recommend I clean the MBR beforehand or anything else of that sort?



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 PM

Posted 14 October 2016 - 03:46 PM

That should all be cleaned in the reformat.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 14 October 2016 - 03:56 PM

Okay, thanks for your assistance.



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 PM

Posted 14 October 2016 - 04:05 PM

You're welcome! If you have any specific format questions ask in Win 8 forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users