Jump to content

Pretty sure im infected.

leaftwisted
 Share

Recommended Posts

leaftwisted

leaftwisted

Posted
  • Author
Posted

my windows up date is still "searching online for updates" sorry in the delay.will post the second i can run everything .will also keep u updated if anything else messes up other then windows update which i know is prone to taking a LONG time to find files to download/update etc. cheers. let'cha know whats going on soon. 

Link to post
Share on other sites
  • Replies 120
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

kevinf80

kevinf80

Posted
Posted

Thanks for those logs, still not seeing anything to explain the slowdown of your connection.... lets try running your system in a "Clean Boot" mode, basically that is all none Microsoft services disabled... Obviously any none MS service that has an impact on your connection or security leave active. See how your system responds in that mode...

Full instructions at the following link, scroll to the section for Windows 7....

https://support.microsoft.com/en-gb/kb/929135

 

 

 

Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted

i dont notice any fps issues every so its hard to say its only internet hicups like ill have a twitch stream up and it will constantly need to buffer on and off and before i was never needed to do that it would just load while i play my games at the same time, now im lucky to buffer a video and play a game or even download a song. im not sure why my net is getting its bandwidth torn apart i have not switched isp's nor anything for a few years .only been having this issue the last month. i cannot pin point it no matter what i do. might be time for a new pc? lol.

Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted

well i see a tonne of speacial logons and winlogon and event ids whch seem extremly suspicious as ADVPI is usually used by malicious software to stop viruis definitions etc and my logs are clogged with tonnes of this 

Special privileges assigned to new logon.

Subject:
    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e7

Privileges:        SeAssignPrimaryTokenPrivilege
            SeTcbPrivilege
            SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeAuditPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege 

stuff like this which is of lvl 5/8/2 logons which means they have acsess to my password Cleartext through SVC and its showing that theres lots of changes being made im not sure if its my anti viruis or not but ive had a lot of suspicious activity and i have no idea how to stop it. or how to in point it or if its even a thing. i might be getting throttled by my ISP but as i said . i have NEVER had an issue with that and been with them forever and it only occurs at 10 pm till about 4 am ish this is why i thought it was a bit coin miner. ive personaly had a miner before on an older system when i used to farm them and it was sorta acting liek it. only running at certain times when the user isnt on at peak times etc. its super fishy idk what to make of any of this but the only thing i do know is this is unstable behaviour and its NEVER done this up untill the last month so at this point the pc swap doesnt seem so durastic since we went threw so many daignostic tools . i counted 7 programs of antiviruis etc u got me to ran and nothing is comming up. im honestly baffled ive never had a pc issue i cant deterime ive even gotten ahold of tech friends tehy all think im infected but everyones confused. is this a new age viruis that has not been detected yet? lol. and just no one has any info on it. like highly unlikley but ....i..i just dont know. my event id just shows me to much scary stuff i barley get. and ive been googling these ids non stop many say it could be a maliciousprogram/rootkit/viruis "hiding" as a normal file. and even some "safe" files when i upload them to viruis total get warnings . computers are to hard to self diagnose and i dont wanna screw anything else up worse but everything google says just points to bad news. when i look up event id's etc 
Sorry for the wall of text,not sure how else to explain it .im very vexed at this situation i put alot of time and money into this RIG.

Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted

also read that certain programs can take over ur anti viruis and act as they would disgusing themselfs as other things to make it run on a pc without being noticed etc. sorta feel like im dealing with a ghost. i cant see or catch him. but i note his presence and i feel like something is watching me. Get what im saying? haha. its as if i can feel it effecting me but i see nothing .this "ghost" is problematic and has only caused me issues in the last month. 

Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted

stuff liek this worries me as ive said looked it up and people say its safe and dangerous theres no in between its either 100%unstable/infected or its 100% clean and working lol 

 

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Type:            3

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:        ANONYMOUS LOGON
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3441d
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x0
    Process Name:        -

Network Information:
    Workstation Name:    
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        NtLmSsp 
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    NTLM V1

this crap bugs me and makes zero sense no matter how hard i dive into the internet and read up and learn. 

 

Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted

An account was successfully logged on.

Subject:
    Security ID:        SYSTEM
    Account Name:        BEANDIP-PC$
    Account Domain:        WORKGROUP
    Logon ID:        0x3e7

Logon Type:            5

New Logon:
    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e7
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x2d0
    Process Name:        C:\Windows\System32\services.exe

Network Information:
    Workstation Name:    
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

 

this one scares me the most .as its logon type is five and the other one was Two it has full acsess and roam of my pc. is this a safe SVC being executed or is someone taking control of my stuff and changing stuff on me?

 

Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted

and i would contact my isp but they are closed when it starts to happen this has also made me think "throttle" is there any program i can use to specialy monitor bandwidth specifically? or ports or lost packets ?something accurate and that will see everything thats hiding or private?

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

cicnSfj.png TCPView

  • Please download TCPView and extract the contents to your Desktop.
  • Right-click TCPView.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Read the EULA and click Accept.
  • Wait 20 seconds.
  • Click File, followed by Save As.
  • Name the file TCPView Text and save the file to your Desktop.
  • Upload the log (TCPView Text) to your reply...
Edited by kevinf80
Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted

no doubt,understood. not sure what could cause this then. and as u replied i left my tcpviewer open for another ten mins and it found several more endpoints.....as well as several more ports it was listening in on. not sure what to make of that and as it happend my Discord went womppppppppppp and got all slow. and thats a simple voiceip with low usage. 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

Lets go for a clean install of Chrome....

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Remove all synced data from Chrome go here: http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/ follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Install Google Chrome from here: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en
 
Any improvement?
 
Edit, maybe download the installer first before uninstalling chrome.....

 

Edited by kevinf80
Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted (edited)

that how to geek manual is to old. its from 2012, im using a way updated version heres what i see on my dashboard. 

 

Dashboard
 
Help
 
 
Send me monthly reminders to check my account activity.
 
expand_all.pngExpand all
gsa_32dp.png
Account
 
Primary email
hidden for privacy. not sure if needed anywas
 
 
android-32.png
Android
 
 
books-32.png
Books
 
My Library
0 books
Bookshelves
10
 
calendar-32.png
Calendar
 
My Calendars
1 calendar
Time zone
(GMT-08:00) Pacific Time
 
 
 
 
 
 
 
 
 
photos-32.png
Photos
 
Albums
1
Photos
0
play-32.png
Play Store
 
Installed applications
2
Most recent app
Snapchat on Dec 7, 2013
 
 
 
 
 
hangouts_32dp.png
Talk
 
Contacts
0
 
 
 
 
youtube-32.png
YouTube
 
My videos
2
Playlists
6
©2016 Google - Google Home - Privacy & Terms - Help
Edited by leaftwisted
Link to post
Share on other sites
leaftwisted

leaftwisted

Posted
  • Author
Posted

https://gyazo.com/246dd69e8fb571d731f49bc5db335831 ,ya i completely get that but how do i delete what there is not to delete u get what i mean? lol see this image it will elaborate better. this picture indicates i have nothing to reset or sync my google account had nothing synchronized with it. :P so now i guess just go with the uninstal and clean install

?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.