Windows 10: Keep getting infected.. Rootkit, Bootkit, Keylogger ?

Hello! from a new guy.

I must say what a great forum ya have here, knowledgeable & helpful people. Tutorial's are awesome (even I can follow them & that's no small feat).

Anyhow, I've been reading like mad trying to fix stuff myself.

Following Kyhi's guide I made a Bootable USB Rescue Disk, with the ISO per NavyLCDR.
Performed a couple wipes & clean installs, hoping it would cure things.
Well didn't seem to fix it and now I think I may have infected the USB Rescue Disk. *Mad

So, I'm admitting defeat & asking for your help / guidance.

Anybody game?

Tnx,

:)

 

keylogger

If there’s no option to remove the blocked item, or to identify the threat, then you might want to see if any specific file is implicated; and if so, then upload that file to VirusTotal:

VirusTotal

If you want to delve a little deeper with antimalware, then you can use specialized anti-rootkit apps to go after kernel-based keyloggers:

http://www.geckoandfly.com/17960/an...ctable-spyware-computer-surveillance-malware/

And if you’re seriously concerned about this, as it seems you are; then you might also want to consider using an anti-keylogger app. If you’d like to try a free one, then I would recommend
Zemana AntiLogger Free:

Zemana AntiLogger Free

 

Rootkit infection

That file is an anti rootkit scanner by Avast. And I'm not sure whether it works on Win 10.

If you have an Avast anti-rootkit scanner and you’re running another rootkit scanner (such as GMER) then the two programs are possibly causing software conflicts.

Running too many AV programs concurrently is not always a good idea.

Assuming you’re using Avast recommend you seek their advice:
https://forum.avast.com/index.php?board=2.0

Also suggest you review
Best Practices for Safe Computing - Prevention of Malware Infection

Regards…

Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid Them.

 

As long as you're formatting the drive during the clean install only firmware malware would persist and they are extremely rare and difficult to create. You may want to create the install media on someone elses computer, format the drive completely and install Windows. First thing you should install is an AV product such as AVast or AVG which have decent free anti-virus protection.

 

Ty for the reply.

That's pretty much what I did & after reinstalling, everything seems OK. But give it a few days & things start happening again. E.G. this re-install is less than a week old & first thing today I was prompted to recover the bios? Then when surfing I got a full screen popup that said my system experienced an error & to call a number with a code. The system shut down & restarted so fast I didn't even get a good look at the popup.

So I decided to wipe it & start over. Out of habit I run MBAM & ESET on the Recovery USB thumb drive before reconnecting the hard drive to perform the re-install.

Normally it's all clean (except for the keyfinder program), however, today it found 6 Registry Data issues "Broken.OpenCommand, HKCR\exefile\shell"\open\command. So I think the USB recovery drive may have been infected?

Here's "some" history & sorry for the book...


I've been locked out of 3 routers in 6 months. Reset doesn't work & Verizon is unable to reset it either. On each new one the only way I could access it was to copy/paste the password.

Sometimes when turning on the PC it doesn't take the password first time. The screen flashes & I have to type password again. This happens randomly but never when waking from sleep. At first I thought I must have typo'd it. But I took notice as it happened more & more and make sure I'm entering it correctly.

Something else it does (and I warn you it's going to sound crazy). I've noticed this with MBAM, AVG, AVAST & Defender. It says it's updating, but doesn't seem like it is. Hard to explain so bear with me while I try to.

After I install a program the first couple updates seem normal, you see it check, then download, and install. After those times, updating will just flash that it's checking then show it's updated to current version. This occurs so fast if you blink you'll miss it.

This odd behavior prompted me to check updates on Mfr site before I updated the program. The updates were quite large. To me it doesn't seem possible it can check, download huge files & install in under 1 second. Where as before it took much much longer.

Thoughts?

 

Hi Greyslate and welcome to Tenforums.

It's possible to have an infected router. I would check to make sure you have the latest firmware, and completely reset it. Then be sure to change the default access password, so no one can get into it and mess around.
(Usually 192.168.x.x and "admin")

For the flash drive, you can completely wipe it (in case of infection) using diskpart:
At an Admin Command Prompt enter
Code: diskpart[/quote] enter
Code: list disk[/quote] enter
Identify the flash drive - be VERY sure which one it is
type
Code: select disk <x>[/quote] where <x> is the flash drive
enter
type
Code: clean[/quote] type
Code: create par primary[/quote] type
Code: active[/quote] type
Code: format FS=FAT32 LABEL="name" QUICK[/quote] "name" - call it whatever you want
type
Code: exit[/quote] to exit diskpart
type Code: exit[/quote] to exit cmd prompt

Make sure your BIOS is up-to-date.

When installing the OS, use the custom install selection, and wipe all partitions, until you have nothing left but "unallocated" space on the drive.

https://www.tenforums.com/tutorials/...n-install.html

.




Once you have the OS installed, create a base image using Macrium Reflect Free on an external HDD.
https://www.tenforums.com/tutorials/...p-restore.html

As you load your software, make more images, so you have something "clean" to fall back on, if you have problems. Create subsequent images as you load software, and be careful what software you load.


For protection, I can recommend Avast Free, or ESET NOD32 (paid), MBAM Free (or paid), and ADWCleaner (Free, run on demand), to ferret out problems as they arise.

The issue of a screen appearing telling you your system has problems and you should call a number for assistance - well, that's not an infection. If you disconnect the router, close the browser and clear out the cache, reopen the browser and remove that tab from opening, then reconnect the router, it should solve that problem.

Hope that helps.

 

Since you have already reinstalled, lets focus on trying to keep your system running malware free.
For starters disable scripting within Windows, it prevents majority of malware from working.
AV does not matter, since it is not working anyway. Run CMD as admin and copy/paste:
Code: reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f[/quote] I would also recommend to remove powershell, which is being heavily used by the new malware:
Code: takeown /f "%ProgramFiles%\WindowsPowerShell" /a /r /d y icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r AdministratorsOI)(CI)F /t /c rd "%ProgramFiles%\WindowsPowerShell" /s /q takeown /f "%ProgramFiles(x86)%\WindowsPowerShell" /a /r /d y icacls "%ProgramFiles(x86)%\WindowsPowerShell" /inheritance:r /grant:r AdministratorsOI)(CI)F /t /c rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q takeown /f "%WINDIR%\System32\WindowsPowerShell" /a /r /d y icacls "%WINDIR%\System32\WindowsPowerShell" /inheritance:r /grant:r AdministratorsOI)(CI)F /t /c rd "%WINDIR%\System32\WindowsPowerShell" /s /q takeown /f "%WINDIR%\SysWOW64\WindowsPowerShell" /a /r /d y icacls "%WINDIR%\SysWOW64\WindowsPowerShell" /inheritance:r /grant:r AdministratorsOI)(CI)F /t /c rd "%WINDIR%\SysWOW64\WindowsPowerShell" /s /q[/quote]

 

I just came back to the PC & the lock screen has a popup that says the Recycle bin is corrupted & asked if I wanted to empty it? I just closed it out.

Yes each time when the new router's arrived, I've changed the default login & password. But at some point it gets modified and my router user & password no longer work (and Verizon cant remote in). Doing a hard reset doesn't clear it back to the default login/pword. Verizon says it's just bad routers. I'm not sure about that.

Actually I haven't done the reinstall yet.

I planned too but MBAM found those Registry Data issues on on my Recovery USB thumb drive. So I wasn't sure if it is infected too, or safe to use for the reinstall?

*Cool I put the codes in, that's like serious stuff.

At this point I'm not sure if anything I have is clean. Would it be OK to wipe the USB drive on this PC & download Kyhi's recovery PE, then use that to wipe the HDD & reinstall?

BTW................ HAPPY NEW YEAR !!!!!!!

 

Since you use MBAM I would recommend not using version 3. I had no end of issues with permissions and modules not turning themselves on properly. So until they sort that out, consider going back to the last 2.2.1 code.

 

I had some infected flash drives from a friend, which needed the personal data on them saved and then completely wiped. They each had a hidden partition on them, which is where I found all his personal data. Once the data was safe, I used diskpart (as above) to clean them. These infected flash drives infected the computer I was using to clean them (obviously). So, once I had the flash drives cleaned, I restored a Macrium image to the system, to get rid of the infection on it.

 

This is how to erase all partitions on a USB flash drive:

Insert a USB flash drive into a running computer.

Open a Command Prompt window as an administrator [Command Prompt (Admin)].

Type diskpart.

In the new command line window that opens, to determine the USB flash drive number or drive letter, at the command prompt, type list disk, and then click ENTER. The list disk command displays all the disks on the computer. Note the drive number or drive letter of the USB flash drive.

At the command prompt, type select disk <X>, where X is the drive number or drive letter of the USB flash drive, and then click ENTER.

Type clean, and the click ENTER. This command deletes all data from the USB flash drive.

Type Exit and ENTER twice to get out of diskpart and then out of the command prompt window.