• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

I think that my computer is infected with a trojan/file dropper that no AV program can detect!!

SO I downloaded the process explorer64 app. and I noticed that certain processes had weird explanations next to them, where they are been sourced from, etc... But when I went to this service: MsMpEng.exe and clicked on the properties tab, I proceeded to the Threads tab and I had multiple thread entries that said: 1664 < 0.01 2  !RtlUserThreadStart, so then I click on permissions and it won't allow me to see who has any permissions for this thread, or any thread regarding this process. Next I go to the strings tab and I pull up all of the strings on this process, and there are entries in there that just don't seem right. Some of the entries include: here's the first part of the strings: NULL

Software\Microsoft\Windows Defender

BetaPlatform

ManagedDefenderProductType
PassiveMode
%d.%d.%d.%d
%d.%d.%d.%d-%d
%ProgramFiles%\Windows Defender
ProductAppDataPath
MsMpEng.exe
MpSvc.dll
MpClient.dll
%s\mpsvc.dll
%s\Platform
%s\%d.%d.%d.%d-%d
BlockedLocation
%016I64x%04x
advapi32.dll
%ws\%ws
forwarders\
kernelbase.dll
version.dll
__NO_STRING_EXPANSION
!This program cannot be run in DOS mode.
Rich_-M
.text
`.rdata
@.data
.pdata
@.rsrc
@.reloc
L$xH
@SVATAVAWH

Here is where it starts to get weird:

ValidateDrop
map/set<T> too long
njg
EventRegister
EventUnregister
EventWriteTransfer
hr=0x%08X
NULL
GetFileVersionInfoSizeW
GetFileVersionInfoSizeExW
GetFileVersionInfoW
GetFileVersionInfoExW
vector<T> too long
list<T> too long
ETW0
Platform.PlatformUpdate.Start
ProductGuid
EngineVersion
SigVersion
AppVersion
IsBeta
IsManaged
IsPassiveMode
IsSxsPassiveMode
Version
DropFolder
Microsoft.Windows.Defender
sPO
RSDS;
MsMpEng.pdb

SO you see where it says to validate drop and to drop folder etc?? What the hell is that all about? 

Here are some more strings just to give you more of an idea of what's going on:

Microsoft.Windows.Defender
sPO
RSDS;
MsMpEng.pdb
GCTL
.text
.text$di
.text$mn
.text$mn$00
.text$x
.text$yd
.rdata$brc
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIY
.CRT$XIZ
.gfids
.giats
.rdata
.rdata$r
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.xdata
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data$brc
.data$r$brc
.data
.bss
.pdata
.rsrc$01
.rsrc$02
VS_VERSION_INFO
StringFileInfo
CompanyName
Microsoft Corporation
FileDescription
Antimalware Service Executable
FileVersion
4.11.15063.0 (WinBuild.160101.0800)
InternalName
MsMpEng.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
MsMpEng.exe
ProductName
Microsoft
Windows
Operating System
ProductVersion
VarFileInfo
Translation
SubC
"Microsoft Window
SubC
Legal_policy_statement
"Microsoft Window
SubC
Legal_Policy_Statement
__CxxFrameHandler3
??_V@YAXPEAX@Z
memmove
??3@YAXPEAX@Z
_purecall
_wcsicmp
_wcsnicmp
malloc
_callnewh
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
_CxxThrowException
memcpy
_XcptFilter
_amsg_exit
__wgetmainargs
__set_app_type
exit
_exit
_cexit
__setusermatherr
_initterm
__C_specific_handler
_fmode
_commode
msvcrt.dll
_lock
_unlock
__dllonexit
_onexit
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
GetLastError
GetProcAddress
FreeLibrary
EnterCriticalSection
LeaveCriticalSection
SetErrorMode
Sleep
SetUnhandledExceptionFilter
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
KERNEL32.dll
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage
RegCloseKey
ADVAPI32.dll
wcstol
isdigit
_vsnprintf
_vsnwprintf
wcschr
towlower
_errno
_errno
_wfopen
fclose
iswspace
fgetws
feof
CloseHandle
SetLastError
FindFirstFileW
FindNextFileW
ExpandEnvironmentStringsW
GetModuleFileNameW
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
HeapSetInformation
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EventSetInformation
RegQueryValueExW
RegOpenKeyExW
RegSetValueExW
CertVerifyCertificateChainPolicy
VerQueryValueW
CRYPT32.dll
api-ms-win-core-version-l1-1-0.dll
WinVerifyTrust
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminAcquireContext
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
WINTRUST.dll
_vscwprintf
HeapFree
HeapAlloc
GetProcessHeap
FindClose
EncodePointer
DecodePointer
VirtualLock
RtlGetVersion
RtlNtStatusToDosError
ntdll.dll
memset
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVerror_category@std@@
.?AV_System_error_category@std@@
.?AV_Generic_error_category@std@@
.?AV_Iostream_error_category@std@@
.?AVexception@@
.?AVCDropFolderInfo@@
.?AUIDropFolderInfo@@
.?AV?$CRefObjectFor@UIDropFolderInfo@@@CommonUtil@@
.?AV?$CAssocIteratorImpl@UIDropFolderInfo@@V?$CAssocCollectionImpl@V?$CStdRefMapWideStringNoCase@VCDropFolderInfo@@@CommonUtil@@@CommonUtil@@@CommonUtil@@
.?AU?$IAssocIterator@PEBGUIDropFolderInfo@@@CommonUtil@@
.?AU?$IAssocIteratorEx@PEBGUIDropFolderInfo@@@CommonUtil@@
.?AU?$ISimpleIterator@UIDropFolderInfo@@@CommonUtil@@
.?AV?$CAssocCollectionImpl@V?$CStdRefMapWideStringNoCase@VCDropFolderInfo@@@CommonUtil@@@CommonUtil@@
.?AV?$CRefObjectFor@U?$IAssocIteratorEx@PEBGUIDropFolderInfo@@@CommonUtil@@@CommonUtil@@
.?AVCRefObject@CommonUtil@@
.?AUIRefObject@CommonUtil@@
.?AVCHResultExceptionImpl@CommonUtil@@
.?AVbad_alloc@std@@
.?AVCHResultException@CommonUtil@@
.?AVout_of_range@std@@
.?AVinvalid_argument@std@@
.?AUICmdOptionsLookup@CommonUtil@@
.?AVCArgvIter@CommonUtil@@
.?AV?$CRefObjectFor@U?$IForwardIterator@$$CBG@CommonUtil@@@CommonUtil@@
.?AU?$IForwardIterator@$$CBG@CommonUtil@@
.?AVCCmdOptionsLookupMap@CommonUtil@@
.?AU?$ISimpleIterator@$$CBG@CommonUtil@@
.?AVCSimpleMapItem@CCmdOptionsLookupMap@CommonUtil@@
.?AV?$CRefObjectFor@UICmdOptionsLookup@CommonUtil@@@CommonUtil@@
.?AVCMpGlobalVarsTable@CommonUtil@@
.?AVCMpUtilsLibrary@CommonUtil@@
.?AVCPtrObjectProcessHeap@CommonUtil@@
.?AVCPtrObject@CommonUtil@@
.?AVCPredefinedMpHeapsHolder@CommonUtil@@
.?AVCFlatEnumFiles@CommonUtil@@
.?AUIEnumFiles@CommonUtil@@
.?AV?$CRefObjectFor@UIEnumFiles@CommonUtil@@@CommonUtil@@
< ?xml version="1.0" encoding="UTF-8" ?>
< !-- Copyright (c) Microsoft Corporation -->
< assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
< trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
< security>
< requestedPrivileges>
< requestedExecutionLevel level="asInvoker" uiAccess="false" />
< /requestedPrivileges>
< /security>
< /trustInfo>
< compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
< application>
< !--This Id value indicates the application supports Windows Vista/Server 2008 functionality -->
< supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
< !--This Id value indicates the application supports Windows 7/Server 2008 R2 functionality-->
< supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
< !--This Id value indicates the application supports Windows 8/Server 2012 functionality-->
< supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
< !-- This Id value indicates the application supports Windows Blue/Server 2012 R2 functionality-->           
< supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
< !-- This Id value indicates the application supports Windows Threshold functionality-->           
< supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
< /application>
< /compatibility>
< /assembly>
5e`*Gm"lBv
CMF
8kPN
CkH
bJj
ICI
Washington1
Redmond1
Microsoft Corporation1!0
Microsoft Time-Stamp PCA0
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher DSE ESN:F528-3777-8A761%0#
Microsoft Time-Stamp Service0
RFp
M0K0I
Chttp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
L0J0H
< http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
nCeN
=.Ep)u
OiO
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Code Signing PCA0
Washington1
Redmond1
Microsoft Corporation1
MOPR1
Microsoft Corporation0
hnK
MOPR1402
+229803+f785b1c0-5d9f-4316-8d6a-74ae642dde1c0
O0M0K
Ehttp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
N0L0J
> http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
=zYud
jdw
CIOy
com1
microsoft1-0+
$Microsoft Root Certificate Authority0
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Code Signing PCA0
vSl>
 

There is more but hopefully you get the picture??? Also my defender program will not allow me to check the box in settings to block all incoming connections to my computer and when I went to the services management and tried to disable anything related to windows defender, firewall, or antivirus, it is all greyed out and I am not able to change or disable anything in relation to those services whatsoever. I also noticed that someone is logged in under local service with a password and I know tha it's not me because I don't  even have a password to logon to anything other than my the initial login welcome screen, and with my Microsoft account. 

I have already done a zeroed out hard drive cleaning with a complete re-install of windows 10. 64 bit operating system, and somehow whatever I've got seems to find me again?!?!?!?! 

Craziest sh*t I have ever seen!!!!

Please HELP!!!!

Replies

Kudos0

Re: I think that my computer is infected with a trojan/file dropper that no AV program can detect!!

Hi, and welcome. Looks like it's time to visit one of the free malware removal sites we recommend.

Don't try any self fixing.

http://www.bleepingcomputer.com/ (link is external)
http://www.geekstogo.com/forum/ (link is external)
http://www.cybertechhelp.com/forums/ (link is external)
http://forums.whatthetech.com/ (link is external)
http://qmalwareremoval.freeforums.net/ (link is external)

Pick one, and stay with that expert until your system is declared clean.

Windows 10 Home X 64 Norton Security Premium Current
Kudos0

Re: I think that my computer is infected with a trojan/file dropper that no AV program can detect!!

process explorer64 app

Sounds like you ran process explorer as a limited user (NOT admin)

But when I went to this service: MsMpEng.exe and clicked on the properties tab, I proceeded to the Threads tab and I had multiple thread entries that said: 1664 < 0.01 2  !RtlUserThreadStart, so then I click on permissions and it won't allow me to see who has any permissions for this thread, or any thread regarding this process

Then looked at some processes you didn't have privileges to look at

Next I go to the strings tab and I pull up all of the strings on this process, and there are entries in there that just don't seem right. Some of the entries include: here's the first part of the strings

Then you looked at some seemingly normal strings from inside a program

tried to disable anything related to windows defender, firewall, or antivirus, it is all greyed out and I am not able to change or disable anything in relation to those services whatsoever

Then you tried to disable windows defender which is not permitted by normal means in windows 10. Then you got more confused and reinstalled windows 10.

So... I missed the part with a virus or a clear problem (other than you are running windows 10, which many people do not view favorably).

This thread is closed from further comment. Please visit the forum to start a new thread.