1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New Remote code or Malware

Discussion in 'Virus & Other Malware Removal' started by crazygk07, Oct 10, 2017.

Thread Status:
Not open for further replies.
  1. crazygk07

    crazygk07 Thread Starter

    Joined:
    Oct 10, 2017
    Messages:
    1
    I seem to have an issue that I cannot get rid of.
    I am fairly familiar with the workings of windows OS but by no means an expert.
    A few months ago I began having issues with what I saw as elevated permissions errors that would remove my primary account from power user and then would override the built in admin account. I have had to perform more than a handful of clean installs but the issue is persisting.
    For awhile I thought the issue may be gone but currently I am experiencing the same symptoms and some other new ones.

    Currently I am running windows 10 pro, dual booted with Linux Debian. Linux is stored on a separate hard disk that is encrypted. There are no issues with that operating system that I am aware of.
    My main boot, Windows, has running processes and services that I cannot explain. It seems that I am receiving very stealthy redirects both from inside my browser and from windows explorer.
    I believe I fell victim to the "eternal blue" malware from a few weeks ago in which I had a fake windows security update in my installed programs list.
    I also have folders in my windows/sys32 file that do not look familiar and are continually trying to update.
    Those issues could be just unfamiliar items. My real concerns and cause for believing this is a larger issue are
    * I lose admin privileges on all accounts over time. A file that I could see or change one day, I cannot the next, eventually I lose access to the settings menu, mmc, powershell, or any executable and the built in admin account cannot even override this.
    *Programs have been running with much higher cpu/memory usage, killing my machine. Often there are two of one task and when I open one tasks location I am brought to a .exe file that is not what it should be. For instance I was brought to a vss script earlier this week when I clicked on the second running process of "MBAM" that was taking 70% of my CPU. That process was not malware bytes, but it looked like it.
    * No scans have given any results of value. I have tried ccleaner, malware bytes, windows defender, avg, zonealarm, spy-bot, rthunter. Currently I have windows defender, cleaner and spy-bot installed on my os.
    * My desktop icons all slowly become redirected folders/shortcuts that I eventually lose access to. Items such as my pictures folder, docs, etc etc.
    * Most recently I noticed that Chrome was acting odd. I checked the "open file location" and saw it directed me to a .exe called "slchrome" located under the Windows folder. I checked "program Files (86)" and found the folder where it should have been but the application .exe file was not there so I went downloaded a new copy Chrome. I was unable to open either Microsoft edge or explorer, so I had to use the Chrome that I have in my taskbar to download it.
    I used file analyzer to view it before opening, it was fine for about 3 minutes but after that time the hash values changed, the certificate of the install application no longer read that it was issued from google. I have this report log and have attached it to this post.
    * I have a "rouge DHCP server" packet that regularly appears on my network, it is responded to by my computer acknowledging that it is part of a domain. My computer is a workstation on a local network with one other computer. The second computer is listed as the domain controller on my pc, but on the other station it is simply a work group. When this happens (it isn't happening on the current installation yet) then my built in admin has lost all rights by that point.

    I have done several clean installs (full format and install from Windows supplied install disk) and the issue always seems to come back. This has occurred for about 6 months now. No other computers on my network are effected.
    I am frustrated and confused and would love any input or help.
    * Attached to this I have a text file of my current running tasklist (ran from a poweruser account, not as Admin, I can't "runas" any longer on my current install, I can login to the built in admin if needed)
    * The text report file from file analyzer of my Google Chrome install file showing the change from the downloaded file to an unverified executable.
    * a text file showing the outputs of dir /a in the windows folder and dir/a/q in
    Windows/system32 folder.


    Tech Support Guy System Info Utility version 1.0.0.4
    OS Version: Microsoft Windows 10 Pro, 64 bit
    Processor: AMD A10-7870K Radeon R7, 12 Compute Cores 4C+8G, AMD64 Family 21 Model 56 Stepping 1
    Processor Count: 4
    RAM: 15296 Mb
    Graphics Card: AMD Radeon(TM) R7 Graphics, 1024 Mb
    Hard Drives: C: 237 GB (185 GB Free); D: 931 GB (311 GB Free); G: 22 GB (22 GB Free);
    Motherboard: ASRock, FM2A88X Extreme6+
    Antivirus: Windows Defender, Enabled and Updated
     

    Attached Files:

    Last edited: Oct 11, 2017
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Remote code Malware
  1. Myro7698
    Replies:
    7
    Views:
    364
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1197703

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice