Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Fixlist help

fixlist help malware bootkit

  • Please log in to reply

#16
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

I don't think you're understanding my problems so let me run through it quickly:

 

  1. Looping appdata shortcuts from EACH user on my PC, including hidden users that have random .exe's and .jco and .manifest files everywhere.
  2. "Windows" programs and store apps keep re-downloading themselves due to Microsoft Sync and Remote Procedures. And no, I am using not signing into my Microsoft account to trigger this. I created a local user on my PC and didn't download any software other than FRST on this fresh installation, yet my Registry is heavily modified. Ex: Legit Windows Defender services can't be started in safe mode, yet there's obviously bootleg "Windows Anti-Malware" services that run in Safe-Mode anyway.
  3. Random Devices/Services running on each sign in; Most of them having something to do with Hyper-V, Workstations, or Remote Access (Which I have disabled multiple times through BIOS and Windows options, but they manage to reset themselves after 10+ minutes after closing the window, or at any login (I can sign out and sign in quickly and glimpse at all the programs starting before they shut due to me having task manager open) 
  4. 170GB of my 2TB hard drive is an unknown location (It's not in my hidden System Volume Information Folders and there's no extra partitions that I can find). In BIOS my system detects the 2TB but as soon as I launch OS it disappears.
  5. These programs aren't being "installed". They are being downloaded as complete packages from an unknown host randomly. They are placed inside folders that my "User" and "System" and "Everyone" is denied to. However, random users, fake TrustedInstaller and All Restricted Applications are allowed full control. These folders and files can avoid detection by making themselves hidden or installing drivers/services in the background that give "credibility" to them. The programs that run in the background have been keylogging and encrypting it to a "shared" file that I managed to look at before my last reset. In the log I checked the program had actually logged one of my actual passwords in a TXT and it conveniently had the key for the decryption right next to it.
  6. The malware also monitors my main desktop window, so it knows when it's safe to run something in the background. If I am in a full-screened game, the programs will start aggressively mining in the background until I open task manger, when most of them shut down. I have a beast of a PC so it should take no time whatsoever to open task manager, however it takes about 15-20 seconds to load it and initially loads with a 100% CPU Usage. Most of the time, a service/program called "System" will be what is taking up the most CPU during the lag. However, I have caught some "Programmable Interrupt Controllers" that were obviously not Windows Processes that were responsibly. Some random services aren't closed when I open task manager and if it notices that I'm just leaving my Task Manager open, it will have a "System" process that will start to mine my HDD instead.
  7. I can't connect to WiFi/Ethernet normally because there are services/programs blocking it. The only way to resolve it is by having the Malware version of Windows Troubleshooter "reset" the adapter. (Just installs other hidden devices on my device manager)
  8. Hidden files everywhere that are obviously up to no good. Any malware that I send to my recycle bin recovers itself, even after I click empty all files. I've noticed a registry entry that monitors my recycle bin for certain programs to prevent them from being deleted. Sometimes the files completely cloak themselves in the recycle bin and I have to use the /dir or attrib command in CMD to even see them.
  9. These programs all work together, intricately. If one of them goes down it starts a chain reaction of registry, permission and file scanning until it detects the problem and recovers itself.
  10. Somehow, someway, my Windows 10 Installation disk that is a DVD-ROM (Read Only), was modified by the virus and turned into a BD-RE disc. They managed to swap out my normal boot files with the infected ones.
  11. Keep in mind this is what I've already done over the last two weeks trying to fix the issue myself
  12. Most of my files are just shells - Here's an example from desktop.ini which is in pretty much everyone of my folders for some reason.
    1. [.ShellClassInfo]
      [email protected]%SystemRoot%\system32\shell32.dll,-21769
      IconResource=%SystemRoot%\system32\imageres.dll,-183
       
  • Reformatted Hard Drive 6x, Factory Reset 3x, Windows Update/Media Creation Tool Installation 2x, Windows Installation from DVD-ROM disc, and even used DBAN DoD to nuke the drive.
  • Deleting partitions separately in diskpart and in Windows.
  • Flashing BIOS and VBIOS.

 

Below I have attached a zip with logs you should look at, here's a quick description

  • Aria-debug log found in temp folder - Malicious Telemetry? BTW I don't have a C:/Build folder normally so this is sketchy.
  • CBS1 = SFC Check from immediately after a 'fresh' installation(Or I might've been in recovery environment, can't remember), errors and skipped files not fixed even though it said in cmd that they were repaired.
  • CBS2 = SFC from today Lots of unknown sources and skipped file scans, interruptions. However when the tool was done is said everything was repaired, which is a blatant lie.
  • DISM1 = DISM scan not doing anything about unknown signatures yet saying repair complete in CMD.
  • Setupact = Found this in my temp folder recently, looks like malware but I didn't look too closely.
  • SQL log = Doesn't make sense why this is running on a fresh installation, also from temp folder.
  • WMsetup = Sketchy

 

Attached Files


  • 0

Advertisements


#17
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,212 posts

I believe the installation was made incorrectly.

 

It appears that the drive was formatted as Master Boot Record (MBR) disk, which uses the standard BIOS partition table, and not as a GUID Partition Table (GPT) disk, which uses Unified Extensible Firmware Interface (UEFI). I also see in these reports RAW (non formatted) partitions.

 

In my opinion you should save any personal data and reinstall, but the right way.

 

Here are instructions for a clean Install of Windows 10. I would suggest you follow these instructions. If your computer is prepared for UEFI, make sure the BIOS is set to it and convert the Disk to GPT. The rest it is to just following the prompts.


  • 0

#18
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Followed the instructions you linked and my PC is running a lot smoother, However, seems like the virus is still present somehow. I will try to post the FRST logs as soon as I can, my Microsoft Edge is currently broken due to sfc scam detecting errors.

Before I reinstalled I ran the clean all command using diskpart, so Im amazed how the virus survived. Im 90% sure I created a clean USB boot, so I dont know what else to do. Microsoft sync, Onesync, offline files and OneDrive all run immediately when I log in Windows for the first time, downloading who knows what.

I ran sfc scan twice, the first one repaired some errors and the second one didnt find any. All 3 DISM commands came back clear as well.

Im noticing the same weird shortcuts as before as well as hidden users named Default User Default All users that have loads of user profile files under their documents. Also found a S-1-18 user folder hidden in recycle bin and when I emptied it, itd just create another recycle bin, or shortcut?
  • 0

#19
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,212 posts
Post new logs.
  • 0

#20
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Im trying, I cant download Firefox or Chrome using command prompt or powershell. Ive tried running multiple scripts but I just get errors. My microsoft edge and internet explorer dont even open or run si Im not sure what to do. Ive tried going to the Microsoft store but it says Ive already have Edge installed. All of the other browser options in the Store look like malware. I also realized that the Cool File Viewer program from the store is what infected my computer initially.

Edited by rayzuh, 43 minutes ago.

  • 0






Similar Topics


Also tagged with one or more of these keywords: fixlist, help, malware, bootkit

2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP