• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Could this be malware?

Recommended Posts

Peresvet    179
On 8/7/2019 at 8:05 AM, devnulllore said:

Untitled-1.thumb.jpg.d07831a3535fc348ebe747ec2ac6b686.jpg

I ran the rescue disk and deleted the boot folder but still accesses the drive and causes hitching (system pauses) when it does.

TL;DR 6 pages, so sorry if it's been addressed already, but you are missing lots of unallocated space there, ~ 46GB.

Share this post


Link to post
Share on other sites
+BudMan    3,537

I hadn't noticed that screenshot before.. I would agree 46GB of SSD space is nothing to sneeze at ;)  If had to guess, I would say its setting for over provisioning... Would have nothing to do with this issue.

Share this post


Link to post
Share on other sites
devnulllore    33
5 hours ago, BudMan said:

Well you should prob look into the details of each error/warning and look to correct stuff that is not correct.

 

I'm not seeing any dcom 10010 errors, but in mine I see some 10016, which I have just corrected.  Decom permissions can be adjusted..

 

Volmgr 46, points to crash dump file not there? Not created?

http://www.eventid.net/display-eventid-46-source-volmgr-eventno-10647-phase-1.htm

 

Are you disabling swap?? ie your pagefile?

I will do so. The dcomm 10016 is one too. How did you correct it?

Share this post


Link to post
Share on other sites
+BudMan    3,537

fixed the permissions on the decom...

 

You will want to look for the specific that was causing yours mine was the Immersive Shell

Share this post


Link to post
Share on other sites
+xrobwx    800

https://www.sysnative.com/forums/pages/bsodcollectionapp/

 

Try the above and post the results, perhaps it will shed some light on your situation.

 

Also, you can try this too: 

 

https://www.bleepingcomputer.com/forums/t/576333/driver-verifier-bsod-related-windows-10-81-8-7-vista/#entry3707530

 

 

Share this post


Link to post
Share on other sites
devnulllore    33
10 hours ago, Peresvet said:

TL;DR 6 pages, so sorry if it's been addressed already, but you are missing lots of unallocated space there, ~ 46GB.

It's over provisioning

5 hours ago, BudMan said:

fixed the permissions on the decom...

 

You will want to look for the specific that was causing yours mine was the Immersive Shell

Would you offer instructions on how you fixed the decom error?

Share this post


Link to post
Share on other sites
+BudMan    3,537

What is your specific error - do a simple google for the exact error and you will more than likely find multiple hits on how to correct it.. For example.. Here were instructions how to fix an esent error was also seeing.

 

https://answers.microsoft.com/en-us/windows/forum/all/event-viewer-erro-esent-455-since-update-1903/624a2548-06e5-47f4-bb99-76d6412895a0

 

here was specific fix for the 10016 error I was seeing

https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/error-event-id-10016-distributedcom/130522d2-beac-4495-980a-65e1e3279901

 

Keep in mind the errors I was seeing could be different than what your seeing.

Share this post


Link to post
Share on other sites
devnulllore    33

Well whatever it is now that is causing the problem I did in fact have malware, ransomware to be exact. For the first time in my life I started using Tor browser and now I am getting ransom notes in my email is anyone familiar with these?

Share this post


Link to post
Share on other sites
Matthew S.    1,000

That has nothing to do with the drive if you were doing clean installs...

Share this post


Link to post
Share on other sites
+BudMan    3,537

An email threatening ramsonware is also not ransomware - its just spam..

 

Also the emails saying this is your password, and I know what you did on some p0rn site - send me some crypto - again spam..

  • Like 1

Share this post


Link to post
Share on other sites
ReAnimation    13
Posted (edited)

I haven't read through the full breadcrumb trial of this thread so apologies if this has already been mentioned, but random crashes/BSOD's can sometimes be caused by bad RAM.

 

Have you tried running memtest 86 on your computer and let it run a full sweep of your RAM?

 

You can download the ISO file (https://www.memtest86.com/) and either burn it to CD, or create a bootable USB memory stick using Rufus (https://rufus.ie/).

 

Depending your computers BIOS setup, you may need to enable legacy boot support to boot from USB media/CD's.  (My motherboard calls it CSM - compatability support module).

 

Once you have the motherboard booting from USB/CD, let memtest run a full sweep.  If its all fine, you can rule out memory issues.

Share this post


Link to post
Share on other sites
+BudMan    3,537

he is not actually getting a crash of the system, he explains it as crash of explorer, or just a hang/freeze, etc.

Share this post


Link to post
Share on other sites
devnulllore    33
2 hours ago, BudMan said:

An email threatening ramsonware is also not ransomware - its just spam..

 

Also the emails saying this is your password, and I know what you did on some p0rn site - send me some crypto - again spam..

What about the fact that the password s they showed were my actual passwords?

 

Share this post


Link to post
Share on other sites
+BudMan    3,537

Because some site data was compromised... That had your passwords..

 

1) Hack some site that has emails and passwords

2) use said emails to spam emails saying xyz - proof we have your passwords

3) profit.

https://techcrunch.com/2018/07/12/ransomware-technique-uses-your-real-passwords-to-trick-you/

 

edit:

This is another example of why you use very complex passwords, use different passwords for all sites.. And pay attention to any sites that have been compromised

 

Look into https://haveibeenpwned.com/

 

edit2:  To be honest some help desk guy that works for company xyz, could leverage his access to emails and passwords for such a scheme as well.  Site wouldn't have to have be compromised by outsiders.

 

 

  • Thanks 2

Share this post


Link to post
Share on other sites
Jim K    13,483

In addition to the above ... if you do get some emails saying they know your password is (your actual password)... be sure that all sites that you use that password/email combo have been changed.  Don't worry about the "ransom note" email itself ... just start changing passwords (if the password is your actual password) if you haven't already.

 

I've gotten a few of those "ransom note" emails but they contained older passwords of mine.

 

You can also use https://haveibeenpwned.com/ to check your email address vs. data breaches.

  • Like 1

Share this post


Link to post
Share on other sites
+BudMan    3,537

^very good advice.  While the complexity of the passwords does not help if the site has been compromised.. Using complex passwords can get you out of the habit of using the same password over and over once you start letting your password tool generate them for you..

 

I normally create account on new site with easy to remember and type password, then after account created complex it up to normally the max number of characters they allow, etc.

 

You know I would not be surprised if some of these spammers just send random stuff to emails.. When you send out a billion emails in a day - you prob hit on a few combo's of users that used some common password, etc.  And take the bait.. So just with a user list of say 10 million email address... I could send out saying hey I know your password for facebook, and it was p@55word! send me $$ and I won't do xyz..

 

The reason we get spam is the people sending them are not paying for the sending.. When it cost me say 2 minutes of work to send out 10 million emails, even if I only get .001% hit rate for users that fall for it - hey easy money... Until such time that users wise up and stop falling for this nonsense.. There will be spammers trying to take advantage..

 

Here is a funny example of something in my spam folder, was just going through to see if anything mis marked..   How and the F could anyone fall for such nonsense?

spam..thumb.png.d3a99c6c7674d46f28fa2783fe1597cb.png

 

Just blows my mind that somewhere, someone is thinking they are going to get 45 million dollars???

Share this post


Link to post
Share on other sites
Jim K    13,483

Does anyone else have an issue seeing your attachments (sorry, off topic)?  

 

 

Capture.JPG

 

I also tried with my phone .. on the Sprint mobile (to make sure my router wasn't blocking something) ... but your attachments don't work for me.

 

Right clicking and selecting "Open image in new tab" gives the following error ...

 

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>5EF1CE48A4FDD3F4</RequestId>
<HostId>
VInyw41A+Zzy/aACyc/tHGTkjdwhbL6QHatXMPPfyN+6i1ErbvjK6/bqcw7NQmHS/QY4fNm7T6A=
</HostId>
</Error>

Weird ...

Share this post


Link to post
Share on other sites
+BudMan    3,537

Not sure but I am seeing them.. Your not I take it.

 

edit: just opened in another browser and can see them just fine as well.. Thinking maybe its just you..

Share this post


Link to post
Share on other sites
Vince800    256
54 minutes ago, BudMan said:

Not sure but I am seeing them.. Your not I take it.

 

edit: just opened in another browser and can see them just fine as well.. Thinking maybe its just you..

No I'm getting the same as @Jim K here.

Share this post


Link to post
Share on other sites
adrynalyne    12,152
9 minutes ago, Vince800 said:

No I'm getting the same as @Jim K here.

Ditto. 

Share this post


Link to post
Share on other sites
Matthew S.    1,000
1 hour ago, BudMan said:

Not sure but I am seeing them.. Your not I take it.

 

edit: just opened in another browser and can see them just fine as well.. Thinking maybe its just you..

Looks like there's actually a file permission issue with the neowin cdn...

Share this post


Link to post
Share on other sites
devnulllore    33
Posted (edited)

Ok I checked the  https://haveibeenpwned.com/  site and it says I have been compromised by over 30 sites and they want me to buy a password program. What can I do now? Should I notify my service provider?

Share this post


Link to post
Share on other sites
+BudMan    3,537

What does your isp have to do with sites you visit having being compromised?

Share this post


Link to post
Share on other sites
Jim K    13,483
22 minutes ago, devnulllore said:

Ok I checked the  https://haveibeenpwned.com/  site and it says I have been compromised by over 30 sites and they want me to buy a password program. What can I do now? Should I notify my service provider?

No..your service provider can't do anything about it.

 

Just be sure your passwords are changed (especially if that email you received contained current password(s) or if the compromised sites revealed currently used password(s)).  Just might be time to go through all your logins and update. :)

Share this post


Link to post
Share on other sites
+BudMan    3,537

So exactly - when I look at my email on the pwnd site.. its listed in 6.. one being Adobe, back in 2013

 

Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text.

 

will just list the text vs screenshot, since there might be an issue with screenshots currently?

 

Anywhoo you see that adobe had problem back in 2013, my email address was listed in there.  My ISP has nothing to do with Adobe's lack of security.. Same goes with your ISP and the sites you have accounts on that have been compromised..

 

And sure they might suggest you use password site or software xyz.. Your free to do that if you wish.. Use of password site/software will allow you to use different passwords for each site much easier then you doing it yourself... Nobody can remember complex passwords, especially once you start using different ones on each and every site you have accounts on.. I am guessing you have way more than 30 ;)  If all your sites use different passwords - even if one compromised they only gain access to that site account, and not all of yours since your using different passwords on each site.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.