This happened after I'd deleted all my system restore points to save disk space on my 60GB SSD, and run a MBAM scan the day before.
Yesterday I downloaded a video file that would not play, though it had all its metadata correct. I dismissed it and downloaded a different version. About 2 hours later windows shouted at me because DllHost.exe was using almost all of my RAM. I killed it and came to the conclusion that the dll used to generate thumbnails had been compromised by the supposedly corrupted file. I tried to delete the video and it instantly came back with the permissions set so that I couldn't delete it anymore. I attempted to log in as the administrator account (which is usually disabled, but without a password) to discover that a password had been set. I plugged the disk into my Raspberry Pi to bypass the windows permissions and successfully deleted the file. I then logged back in to my PC and soon windows explorer was using about 4GB of my RAM. I killed it and attempted to replace it with a backup, but lacked permissions to rename it, which I used to have. I restarted explorer and nothing out of the ordinary happened, and my PC behaved normally for the rest of the night.
I turned it on this morning after a bit of thinking, and now svchost.exe was using immense amounts of memory. None of the services running under it were abnormal, so I killed its tree and it came back as expected, but using a normal quantity of memory. After 5 minutes or so it suddenly spiked back up. I installed BitDefender and told it to scan explorer.exe. It stopped working and when I restarted it had no GUI. I told the application to exit and all signs of it disappeared but the process was still running, and RAM usage was starting to climb. I attempted to kill it but task manager said I had insufficient permissions to stop the process, and it now had SYSTEM listed as its user. It seems far too clever to be "regular" malware, and I see no effect of it apart from using huge amounts of memory. It does this when not connected to the internet, so I don't think it's sending my data around.
I have now disabled my data drive and turned off the computer. I need to know if this is something that can be fixed or if my best option is to wipe my SSD and reinstall windows.
I do have another windows machine that I can use if extremely necessary, but otherwise I need my PC back by saturday.
No comments:
Post a Comment