[SOLVED] How can I make sure that my PC hasn't been compromised (Remote Hacking) ?

[Vellaura]

Hey all!

I was using discord web on chrome incognito. While I was browsing on a AI Art Server I got some dm's related to a discussion I was having, relevant to the type of art I was interested in. I got sent some cool images and downloaded a couple onto my harddrive. They where wepb files.

I already had kaspersky free installed and have never had any issues with it. I've been using Kaspersky for 10+ years. Paid and non. And it always IMMEDIATELY picks up on sus files.

Anyways. While I was chilling maybe an hour or more later I decided to open up OBS Studio to do some configuring and randomly my PC got SUPER slow. My mouse was either incredibly laggy or delayed or it was being controlled, at least it felt that way. I noticed my Kaspersky icon had turned Red, which usually indicates some kind of issue.

The cursor felt like it was making its way to the bottom right settings. I paniced when I saw the red kaspersky icon and immediately restarted my PC.

Upon logging back in everything was perfectly fine, nothing looked out of place, missing etc. I immediately did a full scan on Kaspersky. Then to be extra safe I downloaded Malwarebytes and did another scan. I scanned the files I downloaded, nothing (I'v since deleted them). I scanned it again on both with the internet disconnected. I did some research on youtube and did some command prompts for suspicious IP's, nothing, no new programs installed, nothing new on startup.

I checked the Kaspersky logs to see what had happened. Nothing. Just normal log stuff.

I am completely bewildered. Did my PC just have a mega fart and I freaked out thinking I was infiltrated?

What are some other checks I can do to make sure my PC isn't exposed, compromised or vulnerable. Or at least be able to figure out wtf happened through some kind of logs.

Any information is appreciated.

Thank you

 

[Lutfij]

randomly my PC got SUPER slow
When posting a thread of troubleshooting nature, it's customary to include your full system's specs. Please list the specs to your build like so:
CPU:
CPU cooler:
Motherboard:
Ram:
SSD/HDD:
GPU:
PSU:
Chassis:
OS:
Monitor:
include the age of the PSU apart from it's make and model. BIOS version for your motherboard at this moment of time.

Did my PC just have a mega fart and I freaked out thinking I was infiltrated?
You should've open up Task Manager to see if any resources being drawn or the outgoing traffic on your PC was abnormal. One precautionary act is not to download something upon suggestion within a site.

 

[Vellaura]

randomly my PC got SUPER slow
When posting a thread of troubleshooting nature, it's customary to include your full system's specs. Please list the specs to your build like so:
CPU:
CPU cooler:
Motherboard:
Ram:
SSD/HDD:
GPU:
PSU:
Chassis:
OS:
Monitor:
include the age of the PSU apart from it's make and model. BIOS version for your motherboard at this moment of time.

Did my PC just have a mega fart and I freaked out thinking I was infiltrated?
You should've open up Task Manager to see if any resources being drawn or the outgoing traffic on your PC was abnormal. One precautionary act is not to download something upon suggestion within a site.

My apologies.

PC Specs
Motherboard: P9X79 LE
CPU: Intel Core i7 3820 @ 3.60GHz
CPU Cooler: Coolermaster 212 RGB Black Edition
GPU: Gigabyte Windforce GTX 1080
PSU: Corsair 550 Gold
Storage: 1 TB ST1000DM003 HDD / Fujitsu 128GB SSD
Case: NZXT Phantom White
RAM: 16GB DDR3 Corsair Dominator 1333mhz
Monitor: Samsung BX2450
Keyboard/Mouse: Razer Arctosa - Logitech M90
Header: Hyper X Cloud

It got slow to the point where It was basically unusable. Kind of like a 1fps feeling.

Thank you

 

[Cilantro7536]

1. Kaspersky found nothing. 2. MalwareBytes found nothing. 3. Nothing looks out of place. 4. Nothing captured about what processes might have slowed this down. In summary, you don't have much info to go on except that the system got slowed, and Kaspersky's icon turned red.​

I personally would:

1. Look at the event viewer logs around the time from your downloads to your system slowdown to see if there is any further info to be had.
2. Do another full scan with the ESET online scanner to see if it finds anything.

If there is no further info, you might have to wait to see if anything else will pop up and give you some more clues to investigate.

 

[Vellaura]

1. Kaspersky found nothing. 2. MalwareBytes found nothing. 3. Nothing looks out of place. 4. Nothing captured about what processes might have slowed this down. In summary, you don't have much info to go on except that the system got slowed, and Kaspersky's icon turned red.​

I personally would:

1. Look at the event viewer logs around the time from your downloads to your system slowdown to see if there is any further info to be had.
2. Do another full scan with the ESET online scanner to see if it finds anything.

If there is no further info, you might have to wait to see if anything else will pop up and give you some more clues to investigate.

1. How can I go about looking at my event viewer logs. Shall I post a screenshot of it?

2. I'll do the ESET scan when I get home!

Thank you for the response.

 

[Cilantro7536]

If you click on Windows and search for "Event Viewer," the app shows up with "System" under it. Click on it; I believe the "Custom Views" should have "Administrative Events." Start with that and see if there is anything unusual, which is hard to know if you haven't ever looked at it. It may be a repeating log or something else. Filtering out the "Warning" type may help narrow things down if there are lots of errors around that time.

 

[Ralston18]

And I will add to @Cilantro7536 's Event Viewer suggestion that you also look in Reliability History/Monitor.

Much more end user friendly than Event Viewer plus Reliability History/Monitor presents a timeline format that can reveal sequences and patterns.

To help with Event Viewer:

How To - How to use Windows 10 Event Viewer | Tom's Hardware Forum (tomshardware.com)

Both tools permit clicking any given entry for more details about the entry. The details may or may not be helpful.

 

[SteJBorchard]

One thing you can do in addition to what everyone else said is go into your windows and windows 32 folder and then sort my date added or date modified. You can look up file names and folders on various search engines to see if they correspond to things you use or legitimate OS programs/calls.

You can also go through your registry entries and look try to find any folder that doesn't correspond to legitimate OS functioning or programs you use.

Course that takes awhile, kinda need to know what your doing and even if you find the Remote Access Trojan or nefarious code doesn't mean you can get rid of it.

Now me personally if I had your experience I'd just make sure my data was backed up and nuke it from orbit ( Reformat of drive and reinstall).

But that's just me.

 

[Vellaura]

One thing you can do in addition to what everyone else said is go into your windows and windows 32 folder and then sort my date added or date modified. You can look up file names and folders on various search engines to see if they correspond to things you use or legitimate OS programs/calls.

You can also go through your registry entries and look try to find any folder that doesn't correspond to legitimate OS functioning or programs you use.

Course that takes awhile, kinda need to know what your doing and even if you find the Remote Access Trojan or nefarious code doesn't mean you can get rid of it.

Now me personally if I had your experience I'd just make sure my data was backed up and nuke it from orbit ( Reformat of drive and reinstall).

But that's just me.

Things is. I have no idea of knowing if something actually happened or if I'm just being paranoid. So far there is absolutely no indication what so ever of a compromise. I like to think I'm being overly overly cautious and assuming the worst. So if it was just a program having a fart (potentially OBS) I'd be nuking for no reason 😀.

I'm just trying to determine if something actually happened first.

Edit:

I think you mean't system32 folder. Its literally only 3 files and everything else was months ago. The 3 recent files I found where safe.

 

[Vellaura]

If you click on Windows and search for "Event Viewer," the app shows up with "System" under it. Click on it; I believe the "Custom Views" should have "Administrative Events." Start with that and see if there is anything unusual, which is hard to know if you haven't ever looked at it. It may be a repeating log or something else. Filtering out the "Warning" type may help narrow things down if there are lots of errors around that time.

The error and critical error above this line is

- The previous system shutdown at 11:09:03 PM on ‎5/‎15/‎2025 was unexpected.

- The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

- Audit events have been dropped by the transport. 0

 

[Vellaura]

And I will add to @Cilantro7536 's Event Viewer suggestion that you also look in Reliability History/Monitor.

Much more end user friendly than Event Viewer plus Reliability History/Monitor presents a timeline format that can reveal sequences and patterns.

To help with Event Viewer:

How To - How to use Windows 10 Event Viewer | Tom's Hardware Forum (tomshardware.com)

Both tools permit clicking any given entry for more details about the entry. The details may or may not be helpful.

Hey mate thank you for the response. I'm not sure if this is it because the link you provided didn't work. Based on google I think this is it.

The other critical before it is the same log and that was well before any sus files where downloaded.

 

[Vellaura]

@Cilantro7536

Only 1 detection. I'm not sure if it matters but I also have 2 different drives. C for windows D for files and games, I downloaded the images on D.

 

[Cilantro7536]

How about uploading the file to VirusTotal and posting the resulting link? "Save scan log" just to make a record if you need it later.

Assuming you rebooted at around 11:09 PM or thereafter, the log entries before that could have been helpful, but you only have 9:14 PM log entries, which presumably happened way before your system slowed down. The said log entries don't provide much info.

 

[Vellaura]

How about uploading the file to VirusTotal and posting the resulting link? "Save scan log" just to make a record if you need it later.

Assuming you rebooted at around 11:09 PM or thereafter, the log entries before that could have been helpful, but you only have 9:14 PM log entries, which presumably happened way before your system slowed down. The said log entries don't provide much info.

Sorry I should have clarrified. The whole episode happened and slowdown happened at 11:12pm on 5/15/25 basically just before I paniced and rebooted. Which is why I displayed some time before and after then.

I'm not sure how i would upload the file to Virus Total since ESET has already "quarantined" it. Should I restore and upload?

Thank you

 

[Cilantro7536]

How did the machine get shut down at 11:09 PM? Did you reboot first before experiencing the slowdown? Are there any error entries beyond the 11:12 PM entries? What is in the “DeviceSetupManager” log entries?

I am a bit two-minded about the restoration and uploading. If the file is benign, then doing this will give you more info. If the file is malicious (still somewhat doubtful because K. didn't detect it), leaving it deleted would be better. You already fully scanned with two of the best AV detection/removal tools, and it is still not obvious that you were infected. The said detection is “potentially unsafe” and may have nothing to do with your image download.

Here's another line of thought: there was a WebP critical vulnerability that was highly publicized. Did you patch/update all the programs that are capable of displaying images?

 

[Ralston18]

Event Viewer link - reposting:

https://forums.tomshardware.com/faq/how-to-use-windows-10-event-viewer.2752289/

Reliability History/Monitor:

The second Critical Event is likely a result of the forced reboot provided that I have correctly followed the described actions etc..

The forced reboot then, in turn, may have caused some file corruption.

Run "dism" and "sfc /scannow" to find and fix damaged Windows files.

 

[Vellaura]

How did the machine get shut down at 11:09 PM? Did you reboot first before experiencing the slowdown? Are there any error entries beyond the 11:12 PM entries? What is in the “DeviceSetupManager” log entries?

I am a bit two-minded about the restoration and uploading. If the file is benign, then doing this will give you more info. If the file is malicious (still somewhat doubtful because K. didn't detect it), leaving it deleted would be better. You already fully scanned with two of the best AV detection/removal tools, and it is still not obvious that you were infected. The said detection is “potentially unsafe” and may have nothing to do with your image download.

Here's another line of thought: there was a WebP critical vulnerability that was highly publicized. Did you patch/update all the programs that are capable of displaying images?

So there was only 1 forced reboot from my end. It was a perfectly normal night from my side. I had just closed Overwatch and then proceeded to open up OBS, it was at that time my pc performance dropped to a crawl and I forced the reboot myself in panic. Only once. I'm going to dig up the OBS logs and get some help with those on the OBS discord to see if I can find some clues as to wtf happened.

The "DeviceSetupManager" says - "The Network List Manager reports no connectivity to the internet." And just repeats itself. Not sure whats going on there.

Honestly I'm with you on this one, also for peace of mind I'm just going to go with it being a false positive as well and leave it deleted. I had Kaspersky and Windows Defender running the entire time before the episode happened and it was downloaded onto the D drive, not sure if that matters, maybe it would taken more effort to make its way to the C drive? Especially while Kaspersky is up? Completely undetected? Not saying its not possible but very unlikely, especially considering I'm still using my PC as is. I also did 2 full scans on Kas and Malwarebytes both online and in safe mode and nothing came up.

Things is I didn't even view the images. Because they are webp. You can't on Windows 10. I usually just open them up in Photopea (a online photoshop type website), but I hadn't that day. It might even be completely unrelated to what transpired. But that was the only out of the ordinary thing I did that night.

On the drive home I was thinking and I'm starting to chalk this up to maybe my system getting really unstable for one reason or another, and this instability triggered Kaspersky as the system was not running as should be expected, thus the red icon. I'm going to look into this myself and see if its a thing. I know the red icon can come up for silly reasons like "Your account isn't logged in, or your license expired, BIG RED ICON ALERT ALERT ALERT". So I wouldn't rule it out of the realm of possibilities.

 

[Vellaura]

Event Viewer link - reposting:

https://forums.tomshardware.com/faq/how-to-use-windows-10-event-viewer.2752289/

Reliability History/Monitor:

The second Critical Event is likely a result of the forced reboot provided that I have correctly followed the described actions etc..

The forced reboot then, in turn, may have caused some file corruption.

Run "dism" and "sfc /scannow" to find and fix damaged Windows files.

Thank you! Would you like to see some the logs? I've had the same windows install for years so it probably did some much needed patching up XD

 

[Ralston18]

Hold on the logs.

Simply to gather more information and perhaps reveal patterns - if any.

And I would remove/uninstall Kaspersky.

All that is needed is Windows Defender/Security and free Malwarebytes as a way to make another scan.

 

[Vellaura]

Yea I'll monitor how things go and report back if anything happens. I really appreciate the help and information.

From a general standpoint though. Based on the information so far would you guys say it was just a bad timing of things that seemed malicious but was just stock standard pc crash.

Or would you guys believe there was some foul play?

 

[Vellaura]

identity.nel.measure.office.net

I am getting this pop up every so often. I did a search up and it doesn't seem malicious. Thoughts?

Looks like it's related to Microsoft Office, but I dont have MS Office installed.

 

[Ralston18]

Again that is Kaspersky and it seems to be implicating Google.

And it is not unusual for URL's to cause confusion. Specifcally the use of "office" in this case.

Many websites give the appearance of being related to or even part of any given company by including that company's name in the somewhere within the full pathname.

[People looking for drivers and manuals are often misled (to put it mildly) to sites that have nothing at all to with the company or manufacturer being sought. Some throw out fake warnings trying to scare people in to calling for help. Difficult sometimes to exit the mess.}

Even if legitmate an expired certificate is reason for caution. You do not know who obtained the URL rights. May have been fake to begin with...

Might have been foul play - no way to really know what all has transprired.

Two things:

1) Check Task Manager and Task Scheduler for any unexpected or unknown processes being launched at Startup or later triggered via Task Scheduler. Especially any that you did not establish.

2) Uninstall Kaspersky.

 

[Vellaura]

Again that is Kaspersky and it seems to be implicating Google.

And it is not unusual for URL's to cause confusion. Specifcally the use of "office" in this case.

Many websites give the appearance of being related to or even part of any given company by including that company's name in the somewhere within the full pathname.

[People looking for drivers and manuals are often misled (to put it mildly) to sites that have nothing at all to with the company or manufacturer being sought. Some throw out fake warnings trying to scare people in to calling for help. Difficult sometimes to exit the mess.}

Even if legitmate an expired certificate is reason for caution. You do not know who obtained the URL rights. May have been fake to begin with...

Might have been foul play - no way to really know what all has transprired.

Two things:

1) Check Task Manager and Task Scheduler for any unexpected or unknown processes being launched at Startup or later triggered via Task Scheduler. Especially any that you did not establish.

2) Uninstall Kaspersky.

Yea it really is a mindbender. I only have 2 applications on start up, one is defender and the other is a program I'm familiar with.

What about Malwarebytes? Should I uninstall that to?

I did get this recently and I looked into it and I couldn't find anything. It is related to a file I'm very well aware of, which is Overwatch, safe to ignore this? I'm only entertaining the idea as I do remember the issue happening AFTER I closed the game.

 

[Ralston18]

What Malwarebytes version are you using?

I only use Malwarebytes (free) for occasional checks etc. when warranted.

Not being run in background.

As for Overwatch, I will need to defer to those who play the game with respect to File pathname, port etc being shown.

 

[Vellaura]

What Malwarebytes version are you using?

I only use Malwarebytes (free) for occasional checks etc. when warranted.

Not being run in background.

As for Overwatch, I will need to defer to those who play the game with respect to File pathname, port etc being shown.

Okay thanks mate!

Oh I'm just downloaded the Malwarebytes Antivirus from the website.

I just had one last request. Would you be able to help me with recommending the Top 3 file/url scanning websites.

You know the ones where you upload a file or link and it spits out whether its malicious or not. I only know of the Kaspersky one.

I have one final plan before I put this thread to rest... for now.