0

I've learned about computers over the years but it hasn't been until recently where I really sat down and tried to learn about malware in-depth (like the registry and embedding in files, etc.). I've been teaching myself so I'm sorry if I mess up some terminology. I'm at an impasse though and I'm not sure where or who to turn to. I dread the thought of having to completely reinstall the OS because I have years of work and projects on there.

I have a Dell Inspiron running Windows 10 Home Edition. I discovered a log file where the commands were pulling .dll and .bat files from various temp folders and I believe getting rid of them. In the same log file it said that the OS was Vista and the computer was a Lenovo. Later on in the command lines showed that some of my computer specs were identified. The log is lengthy and puts this post over the word count but I'd like to share it. If someone could let me know the best way to do that it'd be much appreciated. :)

Next I found a consolehost_history.txt file sitting on my desktop that hadn't been there before (I have a small handful of shortcuts but I know for a fact it wasn't there before). I read through it and initially I assumed that it was from some Windows process. It looked like PS command lines. After taking a closer look it kind of looked like there was a typo in the coding? I had that old registry.txt file from awhile ago and sadly didn't think anything of it because I wasn't really aware of this stuff. I found it strange that it was included. Anyway, I'm not very familiar with coding, but here it is:

net.exe stop Superfetch
chkdsk /?
chkdsk C: /F
exit
cd
C:\Users\Emma\AppData\Local\Temp
ls
net.exe stop Superfetch
select-string "hklm" registry.txt
cd
cd
cd Desktop
cd C;\\
cd C:\
cd Desktop
C:\\Desktop
/Desktop
\Desktop
C:\Desktop
Get-ChildItem -Path C:\Desktop
C:\Users\Emma\Desktop
cd Users
cd Emma
cd Desktop
select-string "hklm" registry.txt
get-pssessionconfiguration
Get-AppXPackage -AllUsers |Where-Object {$_.InstallLocation -like "*SystemApps*"} | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}

There are numerous svchost.exe processes running on my desktop. However when I booted in safe mode there were significantly less. I managed to find the checksum of the svchost.exe (at least I'm pretty sure I did) and compared it to an expected one I found online and they didn't match. Not really sure how to go about tackling that.

I rifled through some folders under C:\user and I came across some weird looking folder/file names. The names resembled ones in the bulky log I mentioned earlier. Not sure if the same but same deal (hashed?). I copied file paths and typed out some brief comments which I can add as some sort of attachment as well. On a side note, I'm afraid that this might be through someone I used to be close with but ultimately cut ties with and they have a Lenovo, which makes me a little more skeptical. Or that could just be me overreacting, whose knows lol. Anyway, any type of feedback would be appreciated! Thank you! :)

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 4
    This isn't really a malware forum. If you cannot explain how files got on your desktop, then I think your option is to pull the files you want to save and nuke the machine from orbit and reinstall. – schroeder May 02 '19 at 19:03
  • Maybe ask Emma if she's been playing around with PowerShell lately? And if not then just bite the bullet and do a full wipe/reinstall (or in the parlance of one well-known 80's sci-fi space-marine Jimmy Cameron-directed action movie: "I say we take off and nuke the entire site from orbit. It's the only way to be sure.") – hft May 02 '19 at 19:31
  • Oh I'm sorry! I was thinking of it from a hacking/security issue aspect.No, haven't been using powershell. – wavesummations May 02 '19 at 20:12
  • I guess that'll be the route to go then. the machine has been rocking it for years now. Thank you for your help! I also love the reference, by the way – wavesummations May 02 '19 at 20:14

0 Answers0