[SOLVED] I'm 90% Sure I have a trojan. Please help!

[sebastianredwood]

A lot of strange things have been happening with my computer recently.
Missing files, unexplained webpages being open, incredibly high cpu usage up to 100%.
I'll take a video showing the strange things and maybe you can spot something that I can't...
My specs:
CPU: i7-4790
GPU: GTX 1660
RAM: 16gb DDR3
Storage: 1tb hdd & a 500gb ssd
Video I recorded showing the task manager and verisign.bmp looked like before I deleted it

 

[sebastianredwood]

Do you want a usable system, or do you want to investigate?

"Investigating", you may go days/weeks, and never ever know...

Well I would like both to be honest. My system is usable if I have task manager open.
I'm not sure if this can be of use but this is the scan report in a paste bin
https://pastebin.com/Hq11B4j4

 

[sebastianredwood]

It leads me to https://dll-files.com/
be careful if you decide to click that link, it gives an unsafe warning.

 

[USAFRet]

It leads me to <Redacted>
be careful if you decide to click that link, it gives an unsafe warning.

What led YOU to go to that site?

 

[sebastianredwood]

What led YOU to go to that site?

Curiousity over common sense.

 

[sebastianredwood]

Curiousity over common sense.

This could be the key to knowing what's on my computer, but I'm not brave enough to venture into such foul and uncharted territories, are you?

 

[USAFRet]

And from your scan report:
"DllFilesFixer "
No good can come from that.

This is why we have Linux, and even a Windows instance in a sacrificial VM.

 

[rgd1101]

https://forums.tomshardware.com/thr...-operation-to-complete.3663802/#post-22071954
see if you got that new miner

hmmm, I've downloaded my drivers from nvidia, nvidia control panel and experience. steam, gyazo, firefox, streamlabs, all the normal stuff

so that a lie?

 

[sebastianredwood]

https://forums.tomshardware.com/thr...-operation-to-complete.3663802/#post-22071954
see if you got that new miner



so that a lie?

Okay so... The whole downloading drivers thing was a bit messy. Nvvoida was acting all weird and stuff soo.. yeah.
Also, some system files were missing so I googled around for quite a while and I think I got them. The game now works with whatever I got but I guess some sort of little follower came with them. I wonder if there's a way to trace the address that the crypto is being sent to, if I have a crypto miner that is.
Time will tell, hopefully my pc doesn't blow up in the meantime but I doubt it will considering I'm most likely making him bank! 0.00001btc an hour. sommabitch.

 

[boju]

My system is usable if I have task manager open.

Often these nasties tend to 'susbend' itself when task manager is running to avoid you seeing it in the list of running processes. Temporary fix i guess leaving TM open.

Full wipe and reinstall, it's really the only way. You'll feel better anyway knowing your next efforts will be worth doing this time around.

 

[USAFRet]

Okay so... The whole downloading drivers thing was a bit messy. Nvvoida was acting all weird and stuff soo.. yeah.
Also, some system files were missing so I googled around for quite a while and I think I got them. The game now works with whatever I got but I guess some sort of little follower came with them. I wonder if there's a way to trace the address that the crypto is being sent to, if I have a crypto miner that is.
Time will tell, hopefully my pc doesn't blow up in the meantime but I doubt it will considering I'm most likely making him bank! 0.00001btc an hour. sommabitch.

If a family member brought their system to me in this condition...they'd get it back in an hour or so.
Fully wiped and with a fresh OS install.

"trace the address that the crypto is being sent to"
WHY? What will that do?

 

[sebastianredwood]

Okay so... The whole downloading drivers thing was a bit messy. Nvvoida was acting all weird and stuff soo.. yeah.
Also, some system files were missing so I googled around for quite a while and I think I got them. The game now works with whatever I got but I guess some sort of little follower came with them. I wonder if there's a way to trace the address that the crypto is being sent to, if I have a crypto miner that is.
Time will tell, hopefully my pc doesn't blow up in the meantime but I doubt it will considering I'm most likely making him bank! 0.00001btc an hour. sommabitch.

The PUPs are located in the same directory as that reddit posts miner location... HMMMM. more investigating is needed.

 

[sebastianredwood]

The PUPs are located in the same directory as that reddit posts miner location... HMMMM. more investigating is needed.

well you see, if I trace the address that the crypto is being sent to then I can...I can.. do something smart and. ok yeah idk.

 

[sebastianredwood]

https://imgur.com/a/xykT3HE

View: https://imgur.com/a/xykT3HE

 

[sebastianredwood]

anyone know what slobs is?

https://imgur.com/a/7lKSBSm

View: https://imgur.com/a/7lKSBSm

nvm it's just streamlabs.

 

[USAFRet]

well you see, if I trace the address that the crypto is being sent to then I can...I can.. do something smart and. ok yeah idk.

That "address" is likely 3 levels removed from the actual human.
Layer upon layer of other trojan infested botnets.

 

[USAFRet]

anyone know what slobs is?

This is your system.
If you don't know, and you didn't install it....

 

[sebastianredwood]

This is your system.
If you don't know, and you didn't install it....

There is a DFXCT folder, I can't find anything on google about it.

 

[rgd1101]

stop wasting the time.
1)nuke the system
2)stop downloading stuff

 

[sebastianredwood]

stop wasting the time.
1)nuke the system
2)stop downloading stuff

Yeah but look at this, doesn't this look a bit sketchy for something coming from Microsoft?

https://imgur.com/a/WjtrhqJ

View: https://imgur.com/a/WjtrhqJ

 

[USAFRet]

There is a DFXCT folder, I can't find anything on google about it.

Good luck with that.

 

[sebastianredwood]

https://standards.iso.org/iso/19770/-2/2009/schema.xsd

 

[sebastianredwood]

https://standards.iso.org/iso/19770/-2/2009/schema.xsd

also found a dll file and converted it to txt, i'm pretty sure it's German.

 

[sebastianredwood]

HAHA GOTCHA BITCH!! well I found one of the Trojans at least, check this out.

https://imgur.com/a/VqrTTgR

View: https://imgur.com/a/VqrTTgR

found that hidden inside of a hidden $sysreset.
a website told me its a trojan, here -> https://www.inklineglobal.com/processdll/thirdparty-csrss.html

 

[deesider]

HAHA GOTCHA BITCH!! well I found one of the Trojans at least, check this out.

Well, as long as you're having fun I guess...

 

[sebastianredwood]

Well, as long as you're having fun I guess...

i deleted it. what a pathetic attempt at hiding it..