Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Fixlist help

fixlist help malware bootkit

  • Please log in to reply

#16
rayzuh

rayzuh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

I don't think you're understanding my problems so let me run through it quickly:

 

  1. Looping appdata shortcuts from EACH user on my PC, including hidden users that have random .exe's and .jco and .manifest files everywhere.
  2. "Windows" programs and store apps keep re-downloading themselves due to Microsoft Sync and Remote Procedures. And no, I am using not signing into my Microsoft account to trigger this. I created a local user on my PC and didn't download any software other than FRST on this fresh installation, yet my Registry is heavily modified. Ex: Legit Windows Defender services can't be started in safe mode, yet there's obviously bootleg "Windows Anti-Malware" services that run in Safe-Mode anyway.
  3. Random Devices/Services running on each sign in; Most of them having something to do with Hyper-V, Workstations, or Remote Access (Which I have disabled multiple times through BIOS and Windows options, but they manage to reset themselves after 10+ minutes after closing the window, or at any login (I can sign out and sign in quickly and glimpse at all the programs starting before they shut due to me having task manager open) 
  4. 170GB of my 2TB hard drive is an unknown location (It's not in my hidden System Volume Information Folders and there's no extra partitions that I can find). In BIOS my system detects the 2TB but as soon as I launch OS it disappears.
  5. These programs aren't being "installed". They are being downloaded as complete packages from an unknown host randomly. They are placed inside folders that my "User" and "System" and "Everyone" is denied to. However, random users, fake TrustedInstaller and All Restricted Applications are allowed full control. These folders and files can avoid detection by making themselves hidden or installing drivers/services in the background that give "credibility" to them. The programs that run in the background have been keylogging and encrypting it to a "shared" file that I managed to look at before my last reset. In the log I checked the program had actually logged one of my actual passwords in a TXT and it conveniently had the key for the decryption right next to it.
  6. The malware also monitors my main desktop window, so it knows when it's safe to run something in the background. If I am in a full-screened game, the programs will start aggressively mining in the background until I open task manger, when most of them shut down. I have a beast of a PC so it should take no time whatsoever to open task manager, however it takes about 15-20 seconds to load it and initially loads with a 100% CPU Usage. Most of the time, a service/program called "System" will be what is taking up the most CPU during the lag. However, I have caught some "Programmable Interrupt Controllers" that were obviously not Windows Processes that were responsibly. Some random services aren't closed when I open task manager and if it notices that I'm just leaving my Task Manager open, it will have a "System" process that will start to mine my HDD instead.
  7. I can't connect to WiFi/Ethernet normally because there are services/programs blocking it. The only way to resolve it is by having the Malware version of Windows Troubleshooter "reset" the adapter. (Just installs other hidden devices on my device manager)
  8. Hidden files everywhere that are obviously up to no good. Any malware that I send to my recycle bin recovers itself, even after I click empty all files. I've noticed a registry entry that monitors my recycle bin for certain programs to prevent them from being deleted. Sometimes the files completely cloak themselves in the recycle bin and I have to use the /dir or attrib command in CMD to even see them.
  9. These programs all work together, intricately. If one of them goes down it starts a chain reaction of registry, permission and file scanning until it detects the problem and recovers itself.
  10. Somehow, someway, my Windows 10 Installation disk that is a DVD-ROM (Read Only), was modified by the virus and turned into a BD-RE disc. They managed to swap out my normal boot files with the infected ones.
  11. Keep in mind this is what I've already done over the last two weeks trying to fix the issue myself
  12. Most of my files are just shells - Here's an example from desktop.ini which is in pretty much everyone of my folders for some reason.
    1. [.ShellClassInfo]
      [email protected]%SystemRoot%\system32\shell32.dll,-21769
      IconResource=%SystemRoot%\system32\imageres.dll,-183
       
  • Reformatted Hard Drive 6x, Factory Reset 3x, Windows Update/Media Creation Tool Installation 2x, Windows Installation from DVD-ROM disc, and even used DBAN DoD to nuke the drive.
  • Deleting partitions separately in diskpart and in Windows.
  • Flashing BIOS and VBIOS.

 

Below I have attached a zip with logs you should look at, here's a quick description

  • Aria-debug log found in temp folder - Malicious Telemetry? BTW I don't have a C:/Build folder normally so this is sketchy.
  • CBS1 = SFC Check from immediately after a 'fresh' installation(Or I might've been in recovery environment, can't remember), errors and skipped files not fixed even though it said in cmd that they were repaired.
  • CBS2 = SFC from today Lots of unknown sources and skipped file scans, interruptions. However when the tool was done is said everything was repaired, which is a blatant lie.
  • DISM1 = DISM scan not doing anything about unknown signatures yet saying repair complete in CMD.
  • Setupact = Found this in my temp folder recently, looks like malware but I didn't look too closely.
  • SQL log = Doesn't make sense why this is running on a fresh installation, also from temp folder.
  • WMsetup = Sketchy

 

Attached Files


  • 0

Advertisements







Similar Topics


Also tagged with one or more of these keywords: fixlist, help, malware, bootkit

2 user(s) are reading this topic

1 members, 1 guests, 0 anonymous users


    rayzuh

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP