Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Fixlist help [Closed]

fixlist help malware bootkit

  • This topic is locked This topic is locked

#16
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

I don't think you're understanding my problems so let me run through it quickly:

 

  1. Looping appdata shortcuts from EACH user on my PC, including hidden users that have random .exe's and .jco and .manifest files everywhere.
  2. "Windows" programs and store apps keep re-downloading themselves due to Microsoft Sync and Remote Procedures. And no, I am using not signing into my Microsoft account to trigger this. I created a local user on my PC and didn't download any software other than FRST on this fresh installation, yet my Registry is heavily modified. Ex: Legit Windows Defender services can't be started in safe mode, yet there's obviously bootleg "Windows Anti-Malware" services that run in Safe-Mode anyway.
  3. Random Devices/Services running on each sign in; Most of them having something to do with Hyper-V, Workstations, or Remote Access (Which I have disabled multiple times through BIOS and Windows options, but they manage to reset themselves after 10+ minutes after closing the window, or at any login (I can sign out and sign in quickly and glimpse at all the programs starting before they shut due to me having task manager open) 
  4. 170GB of my 2TB hard drive is an unknown location (It's not in my hidden System Volume Information Folders and there's no extra partitions that I can find). In BIOS my system detects the 2TB but as soon as I launch OS it disappears.
  5. These programs aren't being "installed". They are being downloaded as complete packages from an unknown host randomly. They are placed inside folders that my "User" and "System" and "Everyone" is denied to. However, random users, fake TrustedInstaller and All Restricted Applications are allowed full control. These folders and files can avoid detection by making themselves hidden or installing drivers/services in the background that give "credibility" to them. The programs that run in the background have been keylogging and encrypting it to a "shared" file that I managed to look at before my last reset. In the log I checked the program had actually logged one of my actual passwords in a TXT and it conveniently had the key for the decryption right next to it.
  6. The malware also monitors my main desktop window, so it knows when it's safe to run something in the background. If I am in a full-screened game, the programs will start aggressively mining in the background until I open task manger, when most of them shut down. I have a beast of a PC so it should take no time whatsoever to open task manager, however it takes about 15-20 seconds to load it and initially loads with a 100% CPU Usage. Most of the time, a service/program called "System" will be what is taking up the most CPU during the lag. However, I have caught some "Programmable Interrupt Controllers" that were obviously not Windows Processes that were responsibly. Some random services aren't closed when I open task manager and if it notices that I'm just leaving my Task Manager open, it will have a "System" process that will start to mine my HDD instead.
  7. I can't connect to WiFi/Ethernet normally because there are services/programs blocking it. The only way to resolve it is by having the Malware version of Windows Troubleshooter "reset" the adapter. (Just installs other hidden devices on my device manager)
  8. Hidden files everywhere that are obviously up to no good. Any malware that I send to my recycle bin recovers itself, even after I click empty all files. I've noticed a registry entry that monitors my recycle bin for certain programs to prevent them from being deleted. Sometimes the files completely cloak themselves in the recycle bin and I have to use the /dir or attrib command in CMD to even see them.
  9. These programs all work together, intricately. If one of them goes down it starts a chain reaction of registry, permission and file scanning until it detects the problem and recovers itself.
  10. Somehow, someway, my Windows 10 Installation disk that is a DVD-ROM (Read Only), was modified by the virus and turned into a BD-RE disc. They managed to swap out my normal boot files with the infected ones.
  11. Keep in mind this is what I've already done over the last two weeks trying to fix the issue myself
  12. Most of my files are just shells - Here's an example from desktop.ini which is in pretty much everyone of my folders for some reason.
    1. [.ShellClassInfo]
      [email protected]%SystemRoot%\system32\shell32.dll,-21769
      IconResource=%SystemRoot%\system32\imageres.dll,-183
       
  • Reformatted Hard Drive 6x, Factory Reset 3x, Windows Update/Media Creation Tool Installation 2x, Windows Installation from DVD-ROM disc, and even used DBAN DoD to nuke the drive.
  • Deleting partitions separately in diskpart and in Windows.
  • Flashing BIOS and VBIOS.

 

Below I have attached a zip with logs you should look at, here's a quick description

  • Aria-debug log found in temp folder - Malicious Telemetry? BTW I don't have a C:/Build folder normally so this is sketchy.
  • CBS1 = SFC Check from immediately after a 'fresh' installation(Or I might've been in recovery environment, can't remember), errors and skipped files not fixed even though it said in cmd that they were repaired.
  • CBS2 = SFC from today Lots of unknown sources and skipped file scans, interruptions. However when the tool was done is said everything was repaired, which is a blatant lie.
  • DISM1 = DISM scan not doing anything about unknown signatures yet saying repair complete in CMD.
  • Setupact = Found this in my temp folder recently, looks like malware but I didn't look too closely.
  • SQL log = Doesn't make sense why this is running on a fresh installation, also from temp folder.
  • WMsetup = Sketchy

 

Attached Files


  • 0

Advertisements


#17
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,246 posts

I believe the installation was made incorrectly.

 

It appears that the drive was formatted as Master Boot Record (MBR) disk, which uses the standard BIOS partition table, and not as a GUID Partition Table (GPT) disk, which uses Unified Extensible Firmware Interface (UEFI). I also see in these reports RAW (non formatted) partitions.

 

In my opinion you should save any personal data and reinstall, but the right way.

 

Here are instructions for a clean Install of Windows 10. I would suggest you follow these instructions. If your computer is prepared for UEFI, make sure the BIOS is set to it and convert the Disk to GPT. The rest it is to just following the prompts.


  • 0

#18
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Followed the instructions you linked and my PC is running a lot smoother, However, seems like the virus is still present somehow. I will try to post the FRST logs as soon as I can, my Microsoft Edge is currently broken due to sfc scam detecting errors.

Before I reinstalled I ran the clean all command using diskpart, so Im amazed how the virus survived. Im 90% sure I created a clean USB boot, so I dont know what else to do. Microsoft sync, Onesync, offline files and OneDrive all run immediately when I log in Windows for the first time, downloading who knows what.

I ran sfc scan twice, the first one repaired some errors and the second one didnt find any. All 3 DISM commands came back clear as well.

Im noticing the same weird shortcuts as before as well as hidden users named Default User Default All users that have loads of user profile files under their documents. Also found a S-1-18 user folder hidden in recycle bin and when I emptied it, itd just create another recycle bin, or shortcut?
  • 0

#19
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,246 posts
Post new logs.
  • 0

#20
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Im trying, I cant download Firefox or Chrome using command prompt or powershell. Ive tried running multiple scripts but I just get errors. My microsoft edge and internet explorer dont even open or run si Im not sure what to do. Ive tried going to the Microsoft store but it says Ive already have Edge installed. All of the other browser options in the Store look like malware. I also realized that the Cool File Viewer program from the store is what infected my computer initially.

Edited by rayzuh, 18 October 2019 - 02:57 PM.

  • 0

#21
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I also believe that I have HPA or DCO sectors on my drive, any tips on how to remove them? Everything I find about it on google is absolutely useless.
  • 0

#22
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,246 posts

I also believe that I have HPA or DCO sectors on my drive, any tips on how to remove them? Everything I find about it on google is absolutely useless.


All Windows 10 installatiions, using GPT (UEFI), do have HPA or DCO partitions. It is part of its secure boot system.

Boot to the Recovery Environment
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
    • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    • Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
Once in the Command Prompt:
  • Type in the following and press Enter.
    .

    bcdedit | find "osdevice"

  • Note the osdevice partition letter, then type.

    CHKDSK X: /F

  • Where X is the osdevice letter, and press Enter
  • The tool will start to run.
Upon finished, type exit and press Enter. Restart the computer

Let us know if that makes a difference.
  • 0

#23
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

I reflashed my BIOS as well and my PC is running a little bit smoother. I still think the virus is on my computer though, a lot of folders were hidden with permissions denying me from viewing them or changing anything. Random services like sync hosts and remote connections are running even though I have disabled every windows setting related to them. I enabled intense security features in BIOS and Windows Defender, but they don't seem to be helping too much. The majority of the suspicious files are dated 3/19/2019, which is the day I installed Cool File Viewer. Even through the numerous nukes, cleans and reset the same files with the same dates keep appearing.

Attached Files


  • 0

#24
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,246 posts

I don't see any infection in those logs.

Seems that you deleted the old installation folders in c:\Windows followed with an extension when upgraded to Windows 10, or so the DIMS report indicates. Please try this command at an administrator command prompt to check for those .inf files missing.

Dism /online /Get-Drivers
 

The only vendor that claims that the Firmware can be infected is ESET. It also indicates that in the event of an infection in the firmware, the only way out will be flashing the firmware or replacing the Mother board. Our tools are not prepared to distinguish between an infection in the firmware or not. Now, flashing the firmware as well as BIOS, could be dangerous as you may lose the ability to boot. So I will leave that to you. Backing up your data is suggested.

 

I don't know if you have tried ESET. There is an online scan that I believe you should try.

 

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Then click Do not clean. Place a checkmark at Delete application's data on close, click Finish and close the program.

Post the ESET log.txt report.

Don't forget to re-enable previously switched-off protection software!

 


  • 0

#25
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

I definitely wasn't the one who deleted the files or folder, it had to be the bootkit. Before this installation Windows, I had reflashed my BIOS. Immediately after the flash, I booted into my USB drive using the Windows Media Creation tool. From the recovery/installation enviroment, I deleted all of the partitions in the "Where to Install" screen. After that, I created new ones to fill up all the available space, formatted them, and deleted them again to make sure there was no data left. Afterwards, I went into diskpart and selected my main disk and typed "clean all". Once that was done, I converted the drive to GPT and recreated the partitions before installing Windows. The ESET scan didn't detect anything and the log is useless, it doesn't give any information. My firmware is definitely infected, because if I disable secure boot in BIOS, my windows starts up with Intel Boot Manager before actually launching my MSI BIOS. Are there other components that need to be flashed as well, other than the BIOS?

Attached Files


Edited by rayzuh, 21 October 2019 - 07:25 PM.

  • 0

Advertisements


#26
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,246 posts

If you still believe there is a bootkit, you will need to flash the UEFI Firmware, if available. Else, replacing the motherboard will be the only work around. There is no fix on a GPT partition bootkit.


  • 0

#27
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,246 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics


Also tagged with one or more of these keywords: fixlist, help, malware, bootkit

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP