Hi running Windows 10 on a 64bit dell precisions 7510 I started having strange behaviour with something running power shell commands creating a new workgroup administrator with higher privileges and installing unwanted apps and services. The computer name was changed from the one I set and there were many open connections to ips that I didnt make. At this point I knew something was wrong so decided to wipe the pc
I performed a full format of the only drive (500Gb ssd) with the windows 10 recovery tool and reinstalled win10 with a fresh image from Microsoft.
Now I am beginning to see unwanted system services again. From what I remember during the reinstall of windows there were some large hidden volumes (other than the system volume) that were not empty, but showed not data stores in the file system. Is it possible there is a shadow volume that contains the malware that overrides the mbr running at every boot? I am guessing some variance of rootkit?
Please help me clear the issue. Ive come to the limit of my technical ability and I need to get the laptop back online for my job. In case it helps with assigning someone to help, I will be available in 4 hours from now for the following 12.
Thanks for your time
Edited by hamluis, 27 November 2017 - 02:35 PM.
Moved from MRL to Am I Infected - Hamluis.