Could this be malware?

By devnulllore
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

devnulllore

Posted
  • Author
Posted
5 hours ago, BudMan said:

Well you should prob look into the details of each error/warning and look to correct stuff that is not correct.

 

I'm not seeing any dcom 10010 errors, but in mine I see some 10016, which I have just corrected.  Decom permissions can be adjusted..

 

Volmgr 46, points to crash dump file not there? Not created?

http://www.eventid.net/display-eventid-46-source-volmgr-eventno-10647-phase-1.htm

 

Are you disabling swap?? ie your pagefile?

I will do so. The dcomm 10016 is one too. How did you correct it?

Grand Master

xrobwx71

Posted
Posted

https://www.sysnative.com/forums/pages/bsodcollectionapp/

 

Try the above and post the results, perhaps it will shed some light on your situation.

 

Also, you can try this too: 

 

https://www.bleepingcomputer.com/forums/t/576333/driver-verifier-bsod-related-windows-10-81-8-7-vista/#entry3707530

 

 

Grand Master

devnulllore

Posted
  • Author
Posted
10 hours ago, Peresvet said:

TL;DR 6 pages, so sorry if it's been addressed already, but you are missing lots of unallocated space there, ~ 46GB.

It's over provisioning

5 hours ago, BudMan said:

fixed the permissions on the decom...

 

You will want to look for the specific that was causing yours mine was the Immersive Shell

Would you offer instructions on how you fixed the decom error?

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

What is your specific error - do a simple google for the exact error and you will more than likely find multiple hits on how to correct it.. For example.. Here were instructions how to fix an esent error was also seeing.

 

https://answers.microsoft.com/en-us/windows/forum/all/event-viewer-erro-esent-455-since-update-1903/624a2548-06e5-47f4-bb99-76d6412895a0

 

here was specific fix for the 10016 error I was seeing

https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/error-event-id-10016-distributedcom/130522d2-beac-4495-980a-65e1e3279901

 

Keep in mind the errors I was seeing could be different than what your seeing.

Grand Master

devnulllore

Posted
  • Author
Posted

Well whatever it is now that is causing the problem I did in fact have malware, ransomware to be exact. For the first time in my life I started using Tor browser and now I am getting ransom notes in my email is anyone familiar with these?

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

An email threatening ramsonware is also not ransomware - its just spam..

 

Also the emails saying this is your password, and I know what you did on some p0rn site - send me some crypto - again spam..

Mentor

ReAnimation

Posted
Posted (edited)

I haven't read through the full breadcrumb trial of this thread so apologies if this has already been mentioned, but random crashes/BSOD's can sometimes be caused by bad RAM.

 

Have you tried running memtest 86 on your computer and let it run a full sweep of your RAM?

 

You can download the ISO file (https://www.memtest86.com/) and either burn it to CD, or create a bootable USB memory stick using Rufus (https://rufus.ie/).

 

Depending your computers BIOS setup, you may need to enable legacy boot support to boot from USB media/CD's.  (My motherboard calls it CSM - compatability support module).

 

Once you have the motherboard booting from USB/CD, let memtest run a full sweep.  If its all fine, you can rule out memory issues.

Grand Master

devnulllore

Posted
  • Author
Posted
2 hours ago, BudMan said:

An email threatening ramsonware is also not ransomware - its just spam..

 

Also the emails saying this is your password, and I know what you did on some p0rn site - send me some crypto - again spam..

What about the fact that the password s they showed were my actual passwords?

 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Because some site data was compromised... That had your passwords..

 

1) Hack some site that has emails and passwords

2) use said emails to spam emails saying xyz - proof we have your passwords

3) profit.

https://techcrunch.com/2018/07/12/ransomware-technique-uses-your-real-passwords-to-trick-you/

 

edit:

This is another example of why you use very complex passwords, use different passwords for all sites.. And pay attention to any sites that have been compromised

 

Look into https://haveibeenpwned.com/

 

edit2:  To be honest some help desk guy that works for company xyz, could leverage his access to emails and passwords for such a scheme as well.  Site wouldn't have to have be compromised by outsiders.

 

 

  • Jim K and Matthew S.
  • Thanks 2
Grand Master

Jim K Global Moderator

Posted
  • Global Moderator
Posted

In addition to the above ... if you do get some emails saying they know your password is (your actual password)... be sure that all sites that you use that password/email combo have been changed.  Don't worry about the "ransom note" email itself ... just start changing passwords (if the password is your actual password) if you haven't already.

 

I've gotten a few of those "ransom note" emails but they contained older passwords of mine.

 

You can also use https://haveibeenpwned.com/ to check your email address vs. data breaches.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

^very good advice.  While the complexity of the passwords does not help if the site has been compromised.. Using complex passwords can get you out of the habit of using the same password over and over once you start letting your password tool generate them for you..

 

I normally create account on new site with easy to remember and type password, then after account created complex it up to normally the max number of characters they allow, etc.

 

You know I would not be surprised if some of these spammers just send random stuff to emails.. When you send out a billion emails in a day - you prob hit on a few combo's of users that used some common password, etc.  And take the bait.. So just with a user list of say 10 million email address... I could send out saying hey I know your password for facebook, and it was p@55word! send me $$ and I won't do xyz..

 

The reason we get spam is the people sending them are not paying for the sending.. When it cost me say 2 minutes of work to send out 10 million emails, even if I only get .001% hit rate for users that fall for it - hey easy money... Until such time that users wise up and stop falling for this nonsense.. There will be spammers trying to take advantage..

 

Here is a funny example of something in my spam folder, was just going through to see if anything mis marked..   How and the F could anyone fall for such nonsense?

spam..thumb.png.d3a99c6c7674d46f28fa2783fe1597cb.png

 

Just blows my mind that somewhere, someone is thinking they are going to get 45 million dollars???

Grand Master

Jim K Global Moderator

Posted
  • Global Moderator
Posted

Does anyone else have an issue seeing your attachments (sorry, off topic)?  

 

 

Capture.JPG

 

I also tried with my phone .. on the Sprint mobile (to make sure my router wasn't blocking something) ... but your attachments don't work for me.

 

Right clicking and selecting "Open image in new tab" gives the following error ...

  

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>5EF1CE48A4FDD3F4</RequestId>
<HostId>
VInyw41A+Zzy/aACyc/tHGTkjdwhbL6QHatXMPPfyN+6i1ErbvjK6/bqcw7NQmHS/QY4fNm7T6A=
</HostId>
</Error>

Weird ...

Mentor

Ve7878

Posted
Posted
54 minutes ago, BudMan said:

Not sure but I am seeing them.. Your not I take it.

 

edit: just opened in another browser and can see them just fine as well.. Thinking maybe its just you..

No I'm getting the same as @Jim K here.

Grand Master

Matthew S.

Posted
Posted
1 hour ago, BudMan said:

Not sure but I am seeing them.. Your not I take it.

 

edit: just opened in another browser and can see them just fine as well.. Thinking maybe its just you..

Looks like there's actually a file permission issue with the neowin cdn...

Grand Master

devnulllore

Posted
  • Author
Posted (edited)

Ok I checked the  https://haveibeenpwned.com/  site and it says I have been compromised by over 30 sites and they want me to buy a password program. What can I do now? Should I notify my service provider?

Grand Master

Jim K Global Moderator

Posted
  • Global Moderator
Posted
22 minutes ago, devnulllore said:

Ok I checked the  https://haveibeenpwned.com/  site and it says I have been compromised by over 30 sites and they want me to buy a password program. What can I do now? Should I notify my service provider?

No..your service provider can't do anything about it.

 

Just be sure your passwords are changed (especially if that email you received contained current password(s) or if the compromised sites revealed currently used password(s)).  Just might be time to go through all your logins and update. :)

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So exactly - when I look at my email on the pwnd site.. its listed in 6.. one being Adobe, back in 2013

 

Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text.

 

will just list the text vs screenshot, since there might be an issue with screenshots currently?

 

Anywhoo you see that adobe had problem back in 2013, my email address was listed in there.  My ISP has nothing to do with Adobe's lack of security.. Same goes with your ISP and the sites you have accounts on that have been compromised..

 

And sure they might suggest you use password site or software xyz.. Your free to do that if you wish.. Use of password site/software will allow you to use different passwords for each site much easier then you doing it yourself... Nobody can remember complex passwords, especially once you start using different ones on each and every site you have accounts on.. I am guessing you have way more than 30 ;)  If all your sites use different passwords - even if one compromised they only gain access to that site account, and not all of yours since your using different passwords on each site.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

What does your browser have to do with a site being compromised and the sites incompetence at correctly securing their users passwords/info?

 

Nothing you do or run on your end has anything to do with that... You could use a 120 character complex password, doesn't matter if the site stores it in the clear, or in a easy to reverse hash in their DB, and that DB is gotten by someone.

 

The one thing you can do to help mitigate issues when that happens is use different passwords for each site.

edit: Also the other thing you could do is enable 2FA.. So even of the info is compromised - they would also need to be able to do the 2FA.. That is not fullproof either, but it can help - depending on the MFA the site has enabled and how they have it implemented, etc.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft Authenticator - Constant Login Approval Requests

      By jbarcus81 · Posted

      So for the last few days, and excuse me if I'm not posting in the correct place... anyway, for the last few days I have been getting constant login approval requests from Microsoft Authenticator. I thought maybe someone was trying to get in so I changed my password and backup info... it did stop for a bit after, but now, it's back. I've had maybe 10 today alone. I check the history and there is nothing there.... under my recent activity it just lists my login to view the page, and my last login attempt which I signed into Outlook on my phone on June 18. What is going on? It's asking me to 'type in the code' that's displayed on my screen. I'm not doing it! Anyone else? Anything I should dig deeper into?
    • Apple MacBook Neo is a blessing for Windows users, here's why

      By +pmrd · Posted

      Hello police? I'd like to report a murder.
    • Researchers claim Microsoft's quantum breakthrough is flawed by basic Python errors

      By +pmrd · Posted

      Snakes. Why did it have to be snakes?
    • Ventoy 1.1.15

      By Copernic · Posted

      Ventoy 1.1.15 is out.
    • Win11Debloat 06.24.2026

      By Copernic · Posted

      Win11Debloat 06.24.2026 by Razvan Serea Win11Debloat is a lightweight, easy to use PowerShell script that allows you to quickly declutter and customize your Windows experience. It can remove pre-installed bloatware apps, disable telemetry, remove intrusive interface elements and much more. The script also includes many features that system administrators and power users will enjoy. Such as a powerful command-line interface, support for Windows Audit mode and the option to make changes to other Windows users. All changes made by Win11Debloat can be easily reversed, and most removed apps can be restored via the Microsoft Store. A full guide on how to undo the changes is available here. Win11Debloat features: Below is an overview of the key features and functionality offered by Win11Debloat. Please refer to the wiki for more information about the default settings preset. Remove a wide variety of preinstalled apps. Click here for more info. Disable telemetry, diagnostic data, activity history, app-launch tracking & targeted ads. Disable tips, tricks, suggestions & ads across Windows. Disable Windows location services & app location access. Disable Find My Device location tracking. Disable 'Windows Spotlight' and tips & tricks on the lock screen. Disable 'Windows Spotlight' desktop background option. Disable ads, suggestions and the MSN news feed in Microsoft Edge. Hide Microsoft 365 ads on the Settings 'Home' page, or hide the 'Home' page entirely. Disable & remove Microsoft Copilot. Disable Windows Recall. Disable Click to Do, AI text & image analysis tool. Prevent AI service (WSAIFabricSvc) from starting automatically. Disable AI Features in Edge. Disable AI Features in Paint. Disable AI Features in Notepad. Disable the Drag Tray for sharing & moving files. Restore the old Windows 10 style context menu. Turn off Enhance Pointer Precision, also known as mouse acceleration. Disable the Sticky Keys keyboard shortcut. Disable Storage Sense automatic disk cleanup. Disable fast start-up to ensure a full shutdown. ...and more. Once you’ve downloaded the Win11Debloat file (Get.ps1), just follow these quick steps: Locate the Get.ps1 script file. Right-click the file and select Run with PowerShell from the context menu. If prompted by User Account Control (UAC), select Yes to grant the script the necessary administrative permissions. Win11Debloat 06.24.2026 changelog: With this release, the legacy app list generator and CustomAppsList file support is removed. This only affects users using legacy command-line methods. More info here: #664 Features & Improvements Clean up styling to better match Windows fluent design guidelines by @Raphire in #638 Add GPO override warning alert and WhatIf dry-run previews by @HetCreep in #611 Disable telemetry-related scheduled tasks under Microsoft\Windows by @HetCreep in #615 Guard against loading, saving & executing undefined features by @Raphire in #665 Simplify Window management & update minimum window sizes by @Raphire in #671 Update start menu backup/restore with timestamped filenames by @Raphire in #672 Clean up feature execution logic for readability by @Raphire in #641 Clean up & improve app removal methods, remove legacy CLI app removal methods by @Raphire in #662 Remove support for CustomAppsList file format, including -RemoveAppsCustom and -RunAppsListGenerator parameters Update CLI app removal to use newer app removal methods Drop support for sunset apps (Fitbit, Shazam, Twitter, Viber, Wunderlist, XING) and Plex Fix removal of Microsoft Copilot Fixes Fix: Replace P/Invoke dynamic DLL imports with WPF native methods to fix temp DLL access-denied errors by @Raphire in #661 Fix Start Menu apps not being set correctly for all users when running script for other user by @Raphire in #637 Fix store suggestions not getting disabled correctly for all users when running as other user by @Raphire in #642 Fix: Respect Feature min/max version for comboboxes by @Raphire in #639 Fix: Don't treat AllUsers/CurrentUser as a username at startup by @HetCreep in #647 Fix: treat dismissed unsafe-removal confirmation as decline by @HetCreep in #651 Fix: Surface runspace errors instead of swallowing them in GUI mode by @HetCreep in #655 Fix: Correct sub-key path matching in backup allow-list validation by @HetCreep in #645* Fix: Detect WinGet uninstall failures by exit code, not English text by @HetCreep in #658 Fix: Detect installed OneDrive in the "Only show installed" filter by @HetCreep in #656 Download: Win11Debloat 06.24.2026 | Open Source View: Win11Debloat Home Page | Screenshots 1| 2 Get alerted to all of our Software updates on Twitter at @NeowinSoftware

  • Recent Achievements

    • Grand Master
      Jaybonaut went up a rank
      Grand Master
    • One Year In
      Philsl earned a badge
      One Year In
    • Dedicated
      Scoobystu earned a badge
      Dedicated
    • First Post
      Tom Schmidt earned a badge
      First Post
    • One Month Later
      D0nn13 earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      416
    2. 2
      +Edouard
      173
    3. 3
      PsYcHoKiLLa
      125
    4. 4
      Michael Scrip
      77
    5. 5
      Xenon
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!