My computer is infected but AV software does not find anything

Anixx · 2025-02-21T12:41:40-0500

My computer seemingly got infected.

The symptoms include:
* Multiple processes crss.exe and 5 open Windows sessions after boot (normally should be only Session 0 and Session 1, I have sessions 0-4)
* After boot, there is conhost.exe running, several dllhost.exe and occasionally, powershell that starts conhost.exe. Also, several processes RuntimeBroker
* After some time after boot, the keyboard stops auto-repeat keypresses and/or disappears sound.
* dllhost.exe processes are run by Wlanext.exe. Internet says that this process is tyucally used by malware Guloader. Dllhost starts with commandline "processid:{133eac4f-5891-4d04-bada-d84870380a80}". Wlanext.exe is run by svchost.exe.
* At boot, for a short time appears a console window.
* Rebooting computer instead shuts the computer down.

What I did:

* Rolled back the system to the oldest save point possible (for sure at the time I had no symptoms). During the rollback happened BSOD. After reboot the system said, it was successfully rolled back. Still the infection symptoms remained.
* Renamed wlanext, dllhost, conhost and powershell.exe files
* Renamed registry key {133eac4f-5891-4d04-bada-d84870380a80}
* Installed Malwarebytes antivirus. It did not install successfully but after partial install I was able to run it and make scan. It reported only torrent client and some Windows customization software. Nothing else.
* Used Microsoft's Malware removal tool with full scan. It found nothing.

FreeBooter · 2025-02-21T12:50:05-0500

I don't think your computer infected, but you can check those processes with Process Explorer.

This guide explains how to use Process Explorer, to spot malicious software running on a computer.

Anixx · 2025-02-21T12:52:12-0500

FreeBooter said:
I don't think your computer infected, but you can check those processes with Process Explorer.

This guide explains how to use Process Explorer, to spot malicious software running on a computer.

I wrote in my post what findings I found with ProcessExplorer.

Tester · 2025-02-21T12:56:56-0500

Anixx said:
Multiple processes crss.exe

Should be 2 by default.

Anixx said:
Windows sessions after boot (normally should be only Session 0 and Session 1, I have sessions 0-4)

Download Process Monitor - Sysinternals add column, Command Line, and make printscreen of it. And can be more sessions, if some applications uses that... make printscreen of those other sessions, + there exe's and path.

Anixx said:
* After boot, there is conhost.exe running, several dllhost.exe and occasionally, powershell that starts conhost.exe. Also, several processes RuntimeBroker

Also make printscreen, processes could be normal, or legit apps can trigger it. Show also with column; command line. For examle i have also programs running that uses a powershell window to let the application function correctly.

Anixx said:
* At boot, for a short time appears a console window.

Download Autoruns - Sysinternals and show printscreen, of what starts at boot. Could be a program that uses some bat script for legit things. (However not as good programming, as it could be done differently)

Anixx said:
Wlanext.exe

Upload to VirusTotal and share the report.

Anixx said:
dllhost.exe

This is a legit process. However could be misused, see qoute before this one.

So reading it all, it might be nothing, but still want to see the printscreen and totalvirus report.

Also in Process Monitor, turn on the option under Option -> TotalVirus.com --> Check TotalVirus.com to scan all your running exe's against 70+ virusscanners.

Also View Process Monitor, on - > View "Show Process Tree" to see what exe's run sub processes.
Looks like this:

i have conhost,powershell also running for legit app.

Anixx · 2025-02-21T13:33:44-0500

This is suspicious:

Tester · 2025-02-21T13:35:00-0500

Anixx said:
This is suspicious:
View attachment 126060

Nope it is not. Happens on most pc's.
And yellow means it is not found. So files are not there, and so, can not do anything?

Anixx · 2025-02-21T13:40:39-0500

Tester said:
Also in Process Monitor, turn on the option under Option -> TotalVirus.com --> Check TotalVirus.com to scan all your running exe's against 70+ virusscanners.

There is no such option.

Tester · 2025-02-21T13:54:48-0500

Sorry i mean in Process Explorer. Always confuse with those 2 apps.

FreeBooter · 2025-02-21T16:24:32-0500

Anixx said:
I wrote in my post what findings I found with ProcessExplorer.

Did you use Process Explorer scan functions for the processes, did you followed my guide on the video?

Anixx · 2025-02-21T16:29:35-0500

Tester said:
Sorry i mean in Process Explorer. Always confuse with those 2 apps.

Seemingly, this option does not work for me.

But here is some further development.
I rebooted the system, and was asked if I want to keep autorization by fingerprints or I want to change the authorization method. But I have never used fingerprints. In the process list there is now Credential Enrollment Manager, and I cannot terminate it.

Also, when I went to Youtube, it shows in history, as the most recently viewed, a video on how to disable password request after waking up from sleep. But I have never watched this video, and this can be proven by the browser history. So, someone logged on to Youtube with my browser profile and watched it!

Tester · 2025-02-21T16:34:39-0500

FreeBooter said:
Did you use Process Explorer scan functions for the processes, did you followed my guide on the video?

I wish Process Explorer would scan 'functions' for the processes.

As i would normally need to decompile them to see the processes it's internal functions. I love the NSA tool Ghidra for that.
After rereading i guess you mean the TotalVirus scan option for the processes. =)

Tester · 2025-02-21T16:38:54-0500

Anixx said:
Seemingly, this option does not work for me.

But here is some further development.
I rebooted the system, and was asked if I want to keep autorization by fingerprints or I want to change the authorization method. But I have never used fingerprints. In the process list there is now Credential Enrollment Manager, and I cannot terminate it.

Also, when I went to Youtube, it shows in history, as the most recently viewed, a video on how to disable password request after waking up from sleep. But I have never watched this video, and this can be proven by the browser history. So, someone logged on to Youtube with my browser profile and watched it!

Any apps you resently downloaded or installed?
Maybe a cookie hijack, i would log out all devices from google, and change password / setup 2factor authentication.
Are you using a microsoft account on machine? Credential Enrollment Manager is a per User-Service and is normal to be running in some conditions.

Anixx · 2025-02-21T16:40:14-0500

Tester said:
Any apps you resently downloaded or installed?
Maybe a cookie hijack, i would log out all devices from google, and change password / setup 2factor authentication.
Are you using a microsoft account on machine? Credential Enrollment Manager is a per User-Service and is normal to be running in some conditions.

No, I am using offline account. No Microsoft account.

Tester · 2025-02-21T16:45:47-0500

Turn off fingerprint: Enable or Disable Fingerprint Sign-in Option in Windows 11
Then reboot to see if it turns off that service.
Got it not running on any of my system, also no ms account, and no fingerprint reader, and even on some systems completly disabled.

Tester · 2025-02-21T16:49:14-0500

Anixx said:
* Rebooting computer instead shuts the computer down.

For this check if any of these options help:

What to Do If Computer Restarts After Shutdown (for Windows 11/10/8/7)

Have you ever encountered computer restarts after shutdown? It's annoying when you shut down your PC, and it immediately restarts. What to do in case the computer restarts after shutdown constantly? Learn the useful steps, why they happen, and the best way to safeguard your data beforehand.

www.easeus.com

FreeBooter · 2025-02-21T16:55:04-0500

Tester said:
I wish Process Explorer would scan 'functions' for the processes. As i would normally need to decompile them to see the processes it's internal functions. I love the NSA tool Ghidra for that.
After rereading i guess you mean the TotalVirus scan option for the processes. =)

Also, Very image signatures function will help.

Anixx · 2025-02-21T17:07:17-0500

Tester said:
For this check if any of these options help:

What to Do If Computer Restarts After Shutdown (for Windows 11/10/8/7)

Have you ever encountered computer restarts after shutdown? It's annoying when you shut down your PC, and it immediately restarts. What to do in case the computer restarts after shutdown constantly? Learn the useful steps, why they happen, and the best way to safeguard your data beforehand.

www.easeus.com

Part of the symptoms disappeared after I rolled back the system to a previous date. Including not rebooting, extra sessions, keyboard not repeating and disappearing of sound.

Anixx · 2025-02-21T17:58:13-0500

So, the conhost is started by wlanext.exe. And wlanext.exe is started by different services.

First, by service of push-notifications. I disabled it, it became started by the web security service. I disabled it, it became started by WLAN helper service.

Jacee · 2025-02-21T18:06:28-0500

This is a description of the RAT

Cloud-Based Malware Delivery: The Evolution of GuLoader - Check Point Research

Key takeaways Introduction Antivirus products are constantly evolving to become more sophisticated and better equipped to handle complex threats. As a result, malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are...

research.checkpoint.com

Anixx · 2025-02-21T18:53:33-0500

Jacee said:
This is a description of the RAT

Cloud-Based Malware Delivery: The Evolution of GuLoader - Check Point Research

Key takeaways Introduction Antivirus products are constantly evolving to become more sophisticated and better equipped to handle complex threats. As a result, malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are...

research.checkpoint.com

I need to disable vbscript and powershell. How to do this?

My computer is infected but AV software does not find anything

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Accroche-toi à ton rêve

My Computer

Well-known member

My Computer