This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
I installed a file I believe was disguised as another file I wanted. It was not flagged as malware when I scanned it with windows defender, but when I ran it it did not do the expected function, and afterwards I have noticed oddities on the computer.
For instance any time I open task manager the cpu usage sits at around 90%, even when no other programs are running, before dipping down to less than 10% shortly after. Task manager will quit itself after a short while, something it has never done before. Looking at Network & Internet Status in settings also causes settings to immediately shut down, this also has never happened before. These oddities lead me to believe there might be a hidden cryptominer running in the background.
I have tried running Rkill to see if it detected any malware processes to terminate, and it causes my computer to blue-screen and restart, giving me the stop code: "Critical_Process_Died". Why it kills a critical process is beyond me, but it certainly didn't help solve my issue.
I have ran the Farbar Recovery Scan Tool, but I am not knowledgable enough to interpret it's output myself, I have uploaded them to my onedrive (https://1drv.ms/u/c/1fc0c727a97886ff/EaQidDfdKDxEnbMbCgcdlLkBSJnMk-jdXMUBMLQyMbUHQg?e=QHrQaJ). If you are able to interpret them, please do have a look.
Normally I would reset the computer as a last desperate measure, but it fails and gives me the message "Could not find the recovery environment". I believe this is because support has ended. If my mind serves me right I have been able to reset it without a physical windows installation media inserted in the machine, as I do not have one.
I have considered updating to windows 11 to allow me to do a reset, but I would prefer to keep using windows 10 until windows 11 has improved. ESU is activated for my windows 10 so I am led to believe windows defender should have been able to detect malware on my machine if any is present.I am not certain I do have malware, but fairly suspicious. Any advice or suggestions regarding how to handle this situation is greatly appreciated. Even if it turns out not to be malware I would still like help with stopping the oddities. I will be going to sleep now, and check on any updates tommorow, thanks in advance for any potential help.
Answer accepted by question author
I know you've you've fixed most of this, but I prepared a Fixlist to sort out the hijacked services and other things that haven't been addressed.
Please upload Fixlog.txt so I can check if any further action is needed.
Thank you for this. I have ran it, and you can find the fixlog.txt on my one drive here: https://1drv.ms/t/c/1fc0c727a97886ff/EfTclrxeZnpOg_0OZfcSImYBlASdiD6zVrRD3uFJXzFj_g?e=UkbZvL
That all looks good. I just want to check that some services were successfully restored.
Please right click the start button and select Windows Powershell (Admin)
Copy and paste in the following command then press enter:
gsv BITS, dosvc, usosvc, WaaSMedicSvc, wuauserv | ft -auto Name, DisplayName, StartType, Status
Post a screenshot of the output.
Thank you so much, have done as you said. Here is the output
I feel like they should be on automatic and running like usosvc is.
All those are OK, except BITS has been changed to manual since the Fixlist was run.
Download and apply the following registry file then reboot.
Thanks. Downloaded and ran it, reran the code in powershell, and BITS is automatic now
Great.To remove the Farbar scanner and its folders, rename it to uninstall.exe and run it. A reboot will be required.
Good luck :
Answer accepted by question author
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 72%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
Hello Tage,
Welcome to Microsoft Q&A forum. It's my pleasure to help you today.
I understand your concern that your computer might be affected with malware. I have checked the file you sent, while it is long and complicated, the main cause it pointed out is there is a few suspicious services and files.
For the files, the report shows that there is a suspicious file reside in these locations:
Why it is suspicious:
The file also indicated that a few Registry entry restriction. It might also prevent your computer from working normally. And there are some suspicious services as well. Also, I see that the default browser of your PC is LibreWolf, may I know if this is the one you are using?
Since there are a lot of suspicious activity and anomalies in this. The best way forward is to reinstall Windows to reinstall all malware possible. However, here is a few things we can do before that.
Disclaimer: Due to the big scale of the malware intrusion to your computer, I recommend that we try to perform a clean install to get your computer back into a working condition. Please ensure that you backup any important data, including Documents, Pictures, Videos, and more.
You can find the installation file and the ISO file for your Windows 10 in the Microsoft website. To make sure that all the malware is gone we highly recommend you install Windows 10 while remove all files.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Hello Carl! Thank you so much for your help. Yes I am using librewolf as my main browser. I have found and removed the suspicious files, removed the tasks from task scheduler and deleted the entries you mentioned in regedit.
I had prior to this ran a full system scan, but fortunately you made me look more into it, and I found that some folders, like appdata and programdata were exceptions to being scanned. Removing all exceptions and doing a scan of programdata uncovered a Trojan. I will do another full scan to make sure there aren't any more in another folder that was exempt from the full scan.
Opening services however I was unable to find any of the services you mentioned. Neither malicious ones, nor windows update ones. Any advice regarding this?
Thank you for providing the link to where I can get the installation file. I was thinking of reinstalling windows, remove applications and settings, but keep my files, as it would be a bit tedious to back up everything I want to back up.
Hello Tage,
Thanks for getting back to us.
Sorry for the confusion, the service name I provided is shortened. So you need to look for them in the services tab of task manager. You can also find them by their full name on the Service window (ex: dosvc = Delivery Optimization).
Usually remove a malware will also remove the related services, but you should still check again to make sure.
Please let me know if there are any updates. Or if you need any help with the clean installation.
Thank you for your clarification. I have confirmed that the malicious services are gone. Some of the core windows update services were disabled. WaaSMedicSvc has been reenabled, usosvc was unaffected. I didn't find wuaueng, but found another service by name of wuauserv (Windows update), which I assumed to be the same one, and started it. I was unable to start dosvc, getting the error code 1297. Had a quick look in secpol to see if I could grant it the privilege, but couldn't make sense of it. Unsure if it's something that needs adressing, as I assume it will be fixed with a windows reinstallation.