New duplicate services popping up with funky extensions

[Dcroft39]

Ok. I noticed this morning all these duplicate services running. You can stop them but can't disable and they have names like cbdhsvc_582f17... They're all over the place and most aren't anything I think you must have. consentUXUserSvc_582f17. They're everywhere. And I can't find any info on the net about this. I've been able to delete some using SC... But most of them have other services with the same name just no extension. This morning the extension was different.. any idea what's up?

CaptureService_582f17
Connected Devices platform user servic_.21_ad55. That was this am, a few minutes ago it switched to the _582f17.. I deleted some if them but I really need someone's opinion on this.

 

[thrillskr]

Maybe little bit out if the box thinking, but you could try this tools :

AVZ-Antiviral toolkit by Oleh Zaystev. It’s a powerfull tool.

More info:

avz Antiviral Toolkit by Oleg Zaystev

While the program has its forum post, it is quite old and not maintained, the program is still useful for 2019. AVZ Antiviral Toolkit is a portable...

www.wilderssecurity.com

Or put Strelec WinPE on a (clean) usb. It have a lot usefull and strong tools included.

More info:

WinPE 10-8 Sergei Strelec (x86/x64/Native x86) 2019.07.02 English version

Bootable disk Windows 10 and 8 PE - for maintenance of computers, hard disks and partitions, backup and restore disks and partitions, computer diagnostics, data recovery, Windows installation.Composition of assembly:WinPE10x86WinPE10x64WinPE8x86WinPE8x86(Native)X86 Image contains Show /

sergeistrelec.ru

Hope this can help you, good luck and keep us updated.

 

[Dcroft39]

No antivirus finds anything. This just popped up over night. And like clockwork the 6 letter/number combo changes every boot up I got so sick of cranking up an admin promo, open services. Going thru hand by hand and deleting them... So I wrote a program that takes one argument .. the extension of the hour and wipes em out in about 112ms. But it does t get them all. I will post a list of the most infected there are about 20 services in all. And then right below it. Is a Windows ,service. With the same name no extension.. has anyone ever ever heard of this? Or am I the first to get rammed with it.

@thrillakr... You know.. thank you! I haven't actually tried that. My PC has been compromised. So I don't have any clean USBs now, I honestly do not know what state the box is in. The only tool to find anything was MS Windows malicious software removal tool. 3 on disk, 1 on recovery drive. But before it finishes it pauses. Then goes to the " your computer is clean" screen . Aside from that no luck
I am barely working so $ is tight. I want to follow @slyguys protocol for cleaning. But can't afford a chrome book a hotspot, new phone, etc. Man I am so far from that. Happy I'm in a house where I can eat occasionally. I'm working today but after that who knows. I'm very curious about this service debauchle. What could be doing that. Osarmour was messing with my command line programming a while. Fixed that. But I don't see why they'd be dupping a bunch of mostly unused services. I delete em restart. Back with new names. Only about 2 won't delete. Tha nks for the reach out

 

[Dcroft39]

Below is a self log i keep to myself when i find strange ##### on my box:: its like me talkinmg to myself in notes
but then i figured maynbe you may have shook hands with this Virii before so i converted it to a letter


' This service is probably malware
Connected Devices PlatformUser service_21_ad55, will not let me disable or change.
I have 2 of them. but one is appended with _21_ad55

THe name changed, I deleted the service also deleted
cbdhsvc_582f17
ConsentUxUserSvc_582f17
CaptureService_582f17

now theyve come back with different extensions
CaptureService_e4ccb
cbdhsvc_e4ccb
CDPUserSvc_e4ccb
ConsentUxUserSvc_e4ccb
PimIndexMaintenanceSvc_e4ccb
CredentialEnrollmentManagerUserSvc_e4ccb
(Access was denied on the above and the next one)
DeviceAssociationBrokerSvc_e4ccb
DevicePickerUserSvc_e4ccb
DevicesFlowUserSvc_e4ccb
MessagingService_e4ccb


Failed Openservice access denied



PrintWorkflowUserSvc_e4ccb
OneSyncSvc_e4ccb
UnistoreSvc_e4ccb
WpnUserService_e4ccb

three times today they have all come back with different appended names....
If this aint malware IDK what is. because its not right. unless its a prt of syshardener
or OS Armour but i dont see how. Also many things i select to be disabled in these programs...
They dont get disabled and are running right after. The entire almost east coast is going through
an internet black out... IDK what the hell is going on. Ill keep killing em as i find em


...and again
cbdhsvc_5327cb
ConsentUxUserSvc_5327cb

I got sick of deleting all these BS Services every boot up. I wrote a program that you passs in the latest Ext and it swaps em out from my control variables and wipes those #####ers out in a matter of seconds.now just find the cause .. cauce im scared of it. Its bad enoigh im still hacked
I mean, Hackers dont just up and leave. So with this It seems like every time i boot up the services are back with a different appended extension.

Today 7-3-19 the ext isAarSvc_87b164
Agaim 7-2-19 our bootup Ext is..... drum rolllllll....!!! _a7cac6

Seripusly guys Does anyone out there know what this is ?? I cant keep using my binary bandaids
THis could be something, or it could be #####... anybody? going to try some different scanners and see if anything comes up


Here is a copy and paste that shows all the services infected.

Set SVR_1="CaptureService_5327cb"
set SVR_2="AarSvc_5327cb"
Set SVR_3="BluetoothUserService_5327cb"
SEt SVR_4="PimIndexMaintenanceSvc_5327cb"
Set SVR_5="CDPUserSvc_5327cb"
Set SVR_6="ConsentUxUserSvc_5327cb"
Set SVR_7="PimIndexMaintenanceSvc_5327cb"
SET SVR_8="CredentialEnrollmentManagerUserSvc_5327cb"
SET SVR_9="DeviceAssociationBrokerSvc_5327cb"
SET SVR_10="DevicePickerUserSvc_5327cb"
SET SVR_11="DevicesFlowUserSvc_5327cb"
SET SVR_12="BcastDVRUserService_5327cb"
SET SVR_13="MessagingService_5327cb"
SET SVR_14="PrintWorkflowUserSvc_5327cb"
SET SVR_15="OneSyncSvc_5327cb"
SET SVR_16="UserDataSvc_5327cb"
SET SVR_17="UnistoreSvc_5327cb"
SET SVR_18="WpnUserService_5327cb"

only whats in quoates is to be acknowledged. As Im sure ypu all know This is just the variables
From a program and theses are the control sets used. I just call the program pass in the new
Ext of the day and it loops thru em, changes the ext, and deletes the f&%#@rs service.

DOes this look like any behaviour anyone has seen???



Look THE I know the deal Im not trying to come back and get help but you said my logs were clean any, I havent ran a scan since this started . Im so sick of them turning up nada after 6 hours , or finding something then going... oh my bad youre not infected. your computer is fine. DOnt worry about thos e 6 Files I said were infected.

and thr only tool. the only tool to show them is MS Windows Malicious Software removal tool. and i ghave to mmanually run it. I noticed today defender is no longer updating. and it has never once ran that tool in the BG>

Susppicious huh?

ill use FRST if you want but mainly I know this is not right Eagle.... You dont have multiple copies of the same service that canges its name every boot up,

Let me know if you need more, all I can do now is delete em, but its only a bandaid. who knows what the payload is

 

[dJim]

For what i have found these services are legit from windows 10 SO, anyway im not sure abouth all that list but most are for manteinance and so supose to make the SO more fast, clear, etc

 

[Ink]

You're probably better off replacing Windows 10 with a Free Linux distro.

Your non-crucial online accounts can be closed/terminated, therefore less risk and exposure to "hacks" / "ID Theft".

For what i have found these services are legit from windows 10 SO, anyway im not sure abouth all that list but most are for manteinance and so supose to make the SO more fast, clear, etc

He's probably deleting them and they're reappearing, if that's even possible.

 

[dJim]

He's probably deleting them and they're reappearing, if that's even possible.

You cant delete most of them, are " crucial services " some are for notifications, personalitation etc anyway there not full info abouth all of them, still searching with not good result atm.

 

[Mjolnir]

D - 2 questions for you....1. Do you have controlled folder access protection turned on in win 10? 2. Have you tried a windows defender Offline/Pre-boot scan?

 

[Ink]

You cant delete most of them, are " crucial services " some are for notifications, personalitation etc anyway there not full info abouth all of them, still searching with not good result atm.

OP talks about writing scripts to delete integral parts of Windows. I am surprised the OS still boots up.

 

[dJim]

Yes microsoft for real need give full info abouth each service, procces, included the famous svchost.exe wich is running affter it make one paranoid sometimes, and seems google or anothers web search dont give help or info, it looks intentional.

 

[Ink]

There's little or no information about certain Windows Services, but does not mean it's malware or spyware, but Microsoft have always been vague about services.

 

[Dcroft39]

Whoa.... Lots of responses. !! Thanks guys. Ok.. I tried searching about this most especially the funny extension that changes Everytime you boot up. And the 19 or 20 services I've found all have what seems like normal copies without the extension. I've been hacked for a while so I'm not taking anything for face value guys.


I haven't found any Microsoft evidence to back this up. If you do . Please post a link.

Yeh.. I want to drop windows and for Linux, I've downloaded umbubtu, and kali. But my passengers don't want me to do so and they corrupt the isos before I can use them. I've tried several times. I gotta get some crap together. Go off grid and fix this mess before I can trust any major install.

I am being forced to use what is now called "windows to go" and from my particular POV ... It sucks. As soon as I read you can carry your access more or less on a freaking USB and use any computer to get to your stuff I was extremely motivated to dump windows. It means someone can login as me and access my files from anywhere. And since I can't keep them out. Idk what to do..

@Mjohir... I have no idea. I need to go and check . I try not to login to the internet with that box since I was forced to go " win 2 go" unless absolutely positively.. I have to.
And yes I've tried it. Offline scan. No results. U can get the MSRT to find at least 3 infections but it won't follow through. I've noticed my defender settings keep getting set not to up date, and not to scan. I fix it and it goes right back.

I just use it as a place to experiment with python offline, as I learn it and some really out of the box batch programming. Idk why I keep toying with batch. It's just fun to keep figuring out ways to make stuff work.


What do you guys know about this windows to go stuff? Do you think it best I just flatten this box now and leave it in a wiped state until I can fix the hacker problem. Which I have an explicit protocol to follow to do it. It's just gonna take money and I'm in short supply now. It'll suck to have to give up learning and development for a cpl months but if windows to go is making it that much easier ... I have to.

 

[Dcroft39]

@Mijolnir controlled folder access is on. And I did a few more scans. 2 offline one custom. They never fiinsh and no scan is recorded by windows. They get about 90 % and then the next screen pops up. This tells me that defender had been disabled probably via some script /bot something and it would indeed remove the infection if it could just do its job. It's frustrating at best and frightening extremely, at worst. I'm on the edge with this box . It's all I have ATM save the wim10 desktop in the living room which was just disabled. Maybe I need to wipe it trash it.

 

[davisd]

@Dcroft39 omg just stop wasting the time and format the system, clean install and start from begining!

 

[ForgottenSeer 76546]

You know there's nothing wrong with those services right?
They are totally normal.

 

[Dcroft39]

@davisd. Lol .. you didn't read the entire post. This is the 17th format. 17 times, and 17 different paragraphs for passwords, facial rec. VPN, massive firewall. It's comprimised and I'm sick of reinstalling infected files! I have no other means of downloading clean install files. It wouldn't matter anyway. There is a laundry list of protocol I must follow to shake the hackers and it costs $. I do not have the $ to shake the hackers. Not now. I am rarely working and it's barely enough to stay afloat. It's a double edged sword. Damned if I do, damned if I don't.

Yes I am aware format, flatten, wipe with DBAN. But thank you so much for your glorious input. You have a talent for stating the obvious.

I know the services aren't critical that's my POint. Basically I've never seen them duplicate like this and change names in every boot.

Just thought it was weird. That's why I posted. Apparently it's totally normal all of a sudden for these rinky services to just begin duplicating and renaming themselves. So I'll let the thread die. Thanks to all that have offered solid information.