d9d9

I've tried all that already, and erased every harddrive. Can you tell me if the HMPA log is a false positive ROP or not? Because I'm telling you it has to be coming from another hijacked computer on my network, or someone on my network.

Hello, sophos found nothing but I'd like to inform you that hitmanPro.alert has been mitigating the virus, as it's looking for whatever app it can find to keep running discord was one of the victims, I found in startup it had 24 processes under it such as reg.exe, and other such exe's that I did not screenshot at the time, from then I've disabled all startup programs and just now as i've had discord open for about maybe an hour-two, HMPA caught a ROP, Drive-by Compromise - ID: T1189, Tactic: Initial Access I would like to believe it uses some sort of kernel level mechanism, through my motherboards drivers or some sort, I'll be copy and pasting the log below: Mitigation ROP Timestamp 2023-09-22T17:29:53 Platform 10.0.22621/x64 v947 06_9e PID 10504 WoW x86 Feature 007D0A3617BF01B6 Application C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe Created 2023-09-20T18:45:14 Description Discord 1.0 Callee Type AllocateVirtualMemory 0x3D0C4000 (241664 bytes) Branch Trace Opcode To -------------------------------- -------- -------------------------------- SleepEx +0xc6 RET GetQueuedCompletionStatus +0x15 ^0124 0x74F7C856 KernelBase.dll 0x75069B65 KernelBase.dll WaitForSingleObject +0x13 ~ RET* 0x0113B580 Discord.exe ^001F 0x74FA11E3 KernelBase.dll 6a05 PUSH 0x5 68b00f7b07 PUSH DWORD 0x77b0fb0 e8d4692303 CALL 0x4371f60 8b4df4 MOV ECX, [EBP-0xc] 31e9 XOR ECX, EBP e8c3321c03 CALL 0x42fe859 b001 MOV AL, 0x1 83c41c ADD ESP, 0x1c 5e POP ESI 5f POP EDI 5d POP EBP c3 RET (ABF87D29E9B59CDE) WaitForSingleObjectEx +0xb6 ~ RET WaitForSingleObject +0x12 ^0010 0x74FA12A6 KernelBase.dll 0x74FA11E2 KernelBase.dll WaitForSingleObjectEx +0xda RET WaitForSingleObjectEx +0xa5 ^0024 0x74FA12CA KernelBase.dll 0x74FA1295 KernelBase.dll NtWaitForSingleObject +0xc ~ RET WaitForSingleObjectEx +0x88 ^0016 0x7713619C ntdll.dll 0x74FA1278 KernelBase.dll Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 74FA0BF0 KernelBase.dll VirtualAlloc +0x40 2 0409E858 Discord.exe 85c0 TEST EAX, EAX 0f95c0 SETNZ AL 5e POP ESI 5d POP EBP c3 RET 3 040FCFD5 Discord.exe 4 03B50E93 Discord.exe 5 03B24801 Discord.exe 6 04B2FAFE Discord.exe 7 03AD5BD4 Discord.exe 8 03B05D28 Discord.exe 9 03CE8296 Discord.exe 10 0163A191 Discord.exe Loaded Modules (43) ----------------------------------------------------------------------------- 00B00000-090BC000 Discord.exe (Discord Inc.), version: 1.0.9018 770C0000-7726F000 ntdll.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 76A50000-76B40000 KERNEL32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 73DA0000-73EBC000 hmpalert.dll (SurfRight B.V.), version: 3.8.22.947 74E60000-750D3000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.22621.2283 (WinBuild.160101.0800) 74DC0000-74E5C000 OLEAUT32.dll (Microsoft Corporation), version: 10.0.22621.1992 (WinBuild.160101.0800) 755B0000-75629000 msvcp_win.dll (Microsoft Corporation), version: 10.0.22621.608 (WinBuild.160101.0800) 750E0000-751F2000 ucrtbase.dll (Microsoft Corporation), version: 10.0.22621.608 (WinBuild.160101.0800) 752C0000-7553C000 combase.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 762E0000-7639A000 RPCRT4.dll (Microsoft Corporation), version: 10.0.22621.1992 (WinBuild.160101.0800) 76B50000-76BAF000 WS2_32.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 75660000-75763000 CRYPT32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 6C940000-6CD75000 ffmpeg.dll (), version: 6C5F0000-6C93C000 UIAutomationCore.DLL (Microsoft Corporation), version: 7.2.22621.2070 (WinBuild.160101.0800) 6C410000-6C5E2000 dbghelp.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 73220000-73226000 MSIMG32.dll (Microsoft Corporation), version: 10.0.22621.608 (WinBuild.160101.0800) 75630000-75653000 GDI32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 760C0000-760DA000 win32u.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 76870000-76951000 gdi32full.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 76CC0000-76E68000 USER32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 73250000-73281000 WINMM.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 74110000-74134000 IPHLPAPI.DLL (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 744B0000-744B8000 VERSION.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 75ED0000-75F94000 msvcrt.dll (Microsoft Corporation), version: 7.0.22621.608 (WinBuild.160101.0800) 744C0000-744E4000 USERENV.dll (Microsoft Corporation), version: 10.0.22621.1928 (WinBuild.160101.0800) 6F650000-6F868000 DWrite.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 6CF10000-6CF88000 WINSPOOL.DRV (Microsoft Corporation), version: 10.0.22621.1778 (WinBuild.160101.0800) 76FE0000-770A1000 shcore.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 6DE70000-6DE7A000 Secur32.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 74140000-7421C000 WINHTTP.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 767E0000-76864000 sechost.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 740D0000-740E7000 dhcpcsvc.DLL (Microsoft Corporation), version: 10.0.22621.1344 (WinBuild.160101.0800) 740A0000-740C6000 SSPICLI.DLL (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 760E0000-76105000 IMM32.DLL (Microsoft Corporation), version: 10.0.22621.1344 (WinBuild.160101.0800) 75540000-755A2000 bcryptPrimitives.dll (Microsoft Corporation), version: 10.0.22621.1928 (WinBuild.160101.0800) 76110000-7618D000 ADVAPI32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 744F0000-744FB000 CRYPTBASE.DLL (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6DD90000-6DDD5000 powrprof.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 6DD80000-6DD8E000 UMPDC.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 74220000-7429F000 uxtheme.dll (Microsoft Corporation), version: 10.0.22621.2283 (WinBuild.160101.0800) 73FA0000-73FF1000 mswsock.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 75770000-75DFF000 SHELL32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 74490000-744A3000 kernel.appcore.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) Process Trace 1 C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [10504] "C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe" --type=renderer --user-data-dir="C:\Users\prere\AppData\Roaming\discord" --standard-schemes --secure-schemes=disclip --bypasscsp-schemes --cors-schemes --fetch-schemes=disclip --service-worker 2 C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] Dropped Files 1 C:\USERS\PRERE\APPDATA\ROAMING\DISCORD\SENTRY\SCOPE_V2.JSON Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 2 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000073.log Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 3 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000074.ldb Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 4 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000075.ldb Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 5 C:\Users\prere\AppData\Local\Temp\scoped_dir11120_1882702941\66393d9ab8472e274405461a927298e2.png Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 6 C:\Users\prere\AppData\Local\Temp\19b66270-2a70-4e39-9e44-480b5381e85d.tmp Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] Thumbprints 53de85142f2df8bc3250d3a8c67a36358427a94aabc2fade0587caa2bb52cebf 2nd log it picked up: Mitigation ROP Timestamp 2023-09-22T17:29:51 Platform 10.0.22621/x64 v947 06_9e PID 12200 WoW x86 Feature 007D0A3617BF01B6 Application C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe Created 2023-09-20T18:45:14 Description Discord 1.0 Callee Type AllocateVirtualMemory 0x1B184000 (241664 bytes) Branch Trace Opcode To -------------------------------- -------- -------------------------------- PeekMessageW +0x1da RET* 0x01048CB4 Discord.exe ^0284 0x76CEBFFA user32.dll 8b3b MOV EDI, [EBX] 8b7308 MOV ESI, [EBX+0x8] 89f9 MOV ECX, EDI 6a04 PUSH 0x4 6a0c PUSH 0xc e8ecb8a302 CALL 0x3a845b0 8d480c LEA ECX, [EAX+0xc] 894f04 MOV [EDI+0x4], ECX 8930 MOV [EAX], ESI c740046d000000 MOV DWORD [EAX+0x4], 0x6d eb40 JMP 0x1048d15 (B286BCFEBFD86A66) MsgWaitForMultipleObjectsEx +0x54 ~ RET* 0x01048D05 Discord.exe ^00C8 0x76CE22D4 user32.dll 028d480c894f ADD CL, [EBP+0x4f890c48] 0489 ADD AL, 0x89 30c7 XOR BH, AL 40 INC EAX 0469 ADD AL, 0x69 0000 ADD [EAX], AL 008b4d0c8948 ADD [EBX+0x48890c4d], CL 08e9 OR CL, CH 03fc ADD EDI, ESP (FCF60F8AEADBABD9) NtUserMsgWaitForMultipleObjectsEx +0xc ~ RET MsgWaitForMultipleObjectsEx +0x51 ^012C 0x760C5CBC win32u.dll 0x76CE22D1 user32.dll Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 74FA0BF0 KernelBase.dll VirtualAlloc +0x40 2 0409E858 Discord.exe 85c0 TEST EAX, EAX 0f95c0 SETNZ AL 5e POP ESI 5d POP EBP c3 RET 3 040FCFD5 Discord.exe 4 03B50E28 Discord.exe 5 0156C9D6 Discord.exe 6 0153DC53 Discord.exe 7 0153B491 Discord.exe 8 01538BE5 Discord.exe 9 015410D8 Discord.exe 10 015492E8 Discord.exe Loaded Modules (123) ----------------------------------------------------------------------------- 00B00000-090BC000 Discord.exe (Discord Inc.), version: 1.0.9018 770C0000-7726F000 ntdll.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 76A50000-76B40000 KERNEL32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 73DA0000-73EBC000 hmpalert.dll (SurfRight B.V.), version: 3.8.22.947 74E60000-750D3000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.22621.2283 (WinBuild.160101.0800) 74DC0000-74E5C000 OLEAUT32.dll (Microsoft Corporation), version: 10.0.22621.1992 (WinBuild.160101.0800) 755B0000-75629000 msvcp_win.dll (Microsoft Corporation), version: 10.0.22621.608 (WinBuild.160101.0800) 750E0000-751F2000 ucrtbase.dll (Microsoft Corporation), version: 10.0.22621.608 (WinBuild.160101.0800) 752C0000-7553C000 combase.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 762E0000-7639A000 RPCRT4.dll (Microsoft Corporation), version: 10.0.22621.1992 (WinBuild.160101.0800) 76B50000-76BAF000 WS2_32.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 75660000-75763000 CRYPT32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 6C940000-6CD75000 ffmpeg.dll (), version: 6C5F0000-6C93C000 UIAutomationCore.DLL (Microsoft Corporation), version: 7.2.22621.2070 (WinBuild.160101.0800) 6C410000-6C5E2000 dbghelp.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 73220000-73226000 MSIMG32.dll (Microsoft Corporation), version: 10.0.22621.608 (WinBuild.160101.0800) 75630000-75653000 GDI32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 760C0000-760DA000 win32u.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 76870000-76951000 gdi32full.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 76CC0000-76E68000 USER32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 73250000-73281000 WINMM.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 74110000-74134000 IPHLPAPI.DLL (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 744B0000-744B8000 VERSION.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 75ED0000-75F94000 msvcrt.dll (Microsoft Corporation), version: 7.0.22621.608 (WinBuild.160101.0800) 744C0000-744E4000 USERENV.dll (Microsoft Corporation), version: 10.0.22621.1928 (WinBuild.160101.0800) 6F650000-6F868000 DWrite.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 6CF10000-6CF88000 WINSPOOL.DRV (Microsoft Corporation), version: 10.0.22621.1778 (WinBuild.160101.0800) 76FE0000-770A1000 shcore.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 6DE70000-6DE7A000 Secur32.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 74140000-7421C000 WINHTTP.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 767E0000-76864000 sechost.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 740D0000-740E7000 dhcpcsvc.DLL (Microsoft Corporation), version: 10.0.22621.1344 (WinBuild.160101.0800) 740A0000-740C6000 SSPICLI.DLL (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 760E0000-76105000 IMM32.DLL (Microsoft Corporation), version: 10.0.22621.1344 (WinBuild.160101.0800) 75540000-755A2000 bcryptPrimitives.dll (Microsoft Corporation), version: 10.0.22621.1928 (WinBuild.160101.0800) 76110000-7618D000 ADVAPI32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 744F0000-744FB000 CRYPTBASE.DLL (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6DD90000-6DDD5000 powrprof.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 6DD80000-6DD8E000 UMPDC.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 74220000-7429F000 uxtheme.dll (Microsoft Corporation), version: 10.0.22621.2283 (WinBuild.160101.0800) 73FA0000-73FF1000 mswsock.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 75770000-75DFF000 SHELL32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 74490000-744A3000 kernel.appcore.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 68B40000-69A5E000 discord_voice.node (), version: 76190000-762DF000 ole32.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 76BD0000-76C1B000 SHLWAPI.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 6CD80000-6CE4A000 dxgi.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 6A880000-6AAB8000 d3d11.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 68AF0000-68B33000 qwave.dll (Microsoft Corporation), version: 10.0.22621.608 (WinBuild.160101.0800) 68A20000-68AE6000 OPENH264-2.2.0-WIN32.DLL (Cisco Systems Inc.), version: 2.2.0.2201 68500000-68A1A000 mediapipe.dll (), version: 74380000-7439A000 bcrypt.dll (Microsoft Corporation), version: 10.0.22621.1992 (WinBuild.160101.0800) 6DAB0000-6DAB9000 AVRT.dll (Microsoft Corporation), version: 10.0.22621.608 (WinBuild.160101.0800) 6DC30000-6DC39000 msdmo.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 742A0000-742C4000 dwmapi.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 6B820000-6B82C000 TRAFFIC.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 684F0000-684FF000 WMICLNT.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 76960000-769E2000 clbcatq.dll (Microsoft Corporation), version: 2001.12.10941.16384 (WinBuild.160101.080 684D0000-684EC000 devenum.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 73C00000-73C3D000 CFGMGR32.dll (Microsoft Corporation), version: 10.0.22621.1344 (WinBuild.160101.0800) 763A0000-767DD000 setupapi.dll (Microsoft Corporation), version: 10.0.22621.1778 (WinBuild.160101.0800) 6CF90000-6CFB9000 ntmarta.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 68430000-684C7000 Windows.Devices.Enumeration.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 73CD0000-73D97000 PROPSYS.dll (Microsoft Corporation), version: 7.0.22621.2215 (WinBuild.160101.0800) 683A0000-6842C000 StructuredQuery.dll (Microsoft Corporation), version: 7.0.22621.2070 (WinBuild.160101.0800) 74500000-7451D000 profapi.dll (Microsoft Corporation), version: 10.0.22621.1928 (WinBuild.160101.0800) 68360000-68396000 MSWB7.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 68340000-6835C000 DevDispItemProvider.dll (Microsoft Corporation), version: 10.0.22621.1778 (WinBuild.160101.0800) 73290000-732B4000 DEVOBJ.dll (Microsoft Corporation), version: 10.0.22621.1344 (WinBuild.160101.0800) 769F0000-76A49000 WINTRUST.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 74480000-7448E000 MSASN1.dll (Microsoft Corporation), version: 10.0.22621.819 (WinBuild.160101.0800) 6DB30000-6DBAC000 MMDevApi.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 68300000-6833B000 mfwmaaec.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6B710000-6B818000 mfperfhelper.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6D7C0000-6D94A000 AUDIOSES.DLL (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 682F0000-68300000 resourcepolicyclient.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6D670000-6D77A000 Windows.UI.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 682D0000-682E6000 notificationstate.node (), version: 682B0000-682CB000 notificationstate.node (), version: 681F0000-682B0000 discord_utils.node (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 73240000-7324B000 HID.DLL (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 681C0000-681E9000 dbgcore.DLL (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 68150000-681BA000 discord_erlpack.node (Microsoft Corporation), version: 7.0.22621.2070 (WinBuild.160101.0800) 67D30000-67DF8000 discord_game_utils.node (Microsoft Corporation), version: 10.0.22621.1928 (WinBuild.160101.0800) 64070000-641DD000 gdiplus.dll (Microsoft Corporation), version: 10.0.22621.1778 (WinBuild.160101.0800) 62B90000-6406A000 discord_krisp.node (), version: 743D0000-743E5000 CRYPTSP.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 743A0000-743D0000 rsaenh.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 75FA0000-75FBB000 imagehlp.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 74350000-74371000 gpapi.dll (Microsoft Corporation), version: 10.0.22621.1344 (WinBuild.160101.0800) 74320000-74347000 cryptnet.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 73F90000-73F9A000 WINNSI.DLL (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 76BB0000-76BB7000 NSI.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 627F0000-62B8C000 discord_cloudsync.node (), version: 62760000-627EC000 discord_overlay2.node (), version: 6DC20000-6DC2E000 wbemprox.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 6DBB0000-6DC17000 wbemcomn.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6DB10000-6DB21000 wbemsvc.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 6D9E0000-6DAAC000 fastprox.dll (Microsoft Corporation), version: 10.0.22621.1635 (WinBuild.160101.0800) 6D9C0000-6D9D5000 amsi.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6D950000-6D9BC000 MpOav.dll (Microsoft Corporation), version: 4.18.23080.2006 (04d8e871ffe7ba6b2204046 62590000-6261D000 discord_media.node (), version: 732C0000-732EE000 dxcore.dll (Microsoft Corporation), version: 10.0.22621.1778 (WinBuild.160101.0800) 6BD10000-6BD4C000 directxdatabasehelper.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 740F0000-74106000 dhcpcsvc6.DLL (Microsoft Corporation), version: 10.0.22621.1344 (WinBuild.160101.0800) 73ED0000-73F89000 DNSAPI.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 72E90000-72EA2000 napinsp.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6F630000-6F646000 pnrpnsp.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 73210000-7321E000 winrnr.dll (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 6F610000-6F621000 wshbth.dll (Microsoft Corporation), version: 10.0.22621.1778 (WinBuild.160101.0800) 743F0000-74408000 nlansp_c.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 62530000-62590000 discord_modules.node (), version: 61D20000-62525000 discord_dispatch.node (), version: 76B40000-76B46000 PSAPI.DLL (Microsoft Corporation), version: 10.0.22621.1 (WinBuild.160101.0800) 68070000-6814E000 AppXDeploymentClient.dll (Microsoft Corporation), version: 10.0.22621.1928 (WinBuild.160101.0800) 67FB0000-68070000 Windows.ApplicationModel.dll (Microsoft Corporation), version: 10.0.22621.2070 (WinBuild.160101.0800) 74520000-745E7000 wintypes.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 745F0000-74CD3000 windows.storage.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 73C40000-73CC1000 Windows.FileExplorer.Common.dll (Microsoft Corporation), version: 10.0.22621.2215 (WinBuild.160101.0800) 67FA0000-67FB0000 mssprxy.dll (Microsoft Corporation), version: 7.0.22621.2070 (WinBuild.160101.0800) 73B70000-73BA0000 windows.staterepositoryclient.dll (Microsoft Corporation), version: 10.0.22621.1928 (WinBuild.160101.0800) 67F10000-67F28000 quiethours.node (), version: 61950000-61B2A000 cld.node (), version: Process Trace 1 C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [12200] "C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe" --type=renderer --user-data-dir="C:\Users\prere\AppData\Roaming\discord" --standard-schemes --secure-schemes=disclip --bypasscsp-schemes --cors-schemes --fetch-schemes=disclip --service-worker 2 C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] Dropped Files 1 C:\Users\prere\AppData\Roaming\discord\Code Cache\js\index-dir\the-real-index~RF2813088.TMP Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 2 C:\USERS\PRERE\APPDATA\ROAMING\DISCORD\SENTRY\SCOPE_V2.JSON Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 3 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000073.log Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 4 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000074.ldb Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 5 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000075.ldb Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] 6 C:\Users\prere\AppData\Local\Temp\scoped_dir11120_1882702941\66393d9ab8472e274405461a927298e2.png Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120] Thumbprints d41c6aebcc41428e6707e70acaa264954b5a990ace3ef82fa6d692d4f93c8ce7

Also found another file in the debug folder called NetSetup.LOG, found it odd as it has some random computer name in it thats not mine. Msert had 4 infected files during the scan, but like you said those don't matter. msert.log NetSetup.LOG

For now, ill leave this Hitman Pro EWS scan I did, mind you some could be false positives, but I believe whatever it is replaces your windows with older/modified windows files allowed themselves access, still don't know how to clean the Boot (:X) thing (I know its a normal windows/pc thing but its probably hijacked with their own files) so I still suspect it uses an exploit within that. HitmanPro_EWS.log

i've decided to just leave it as is on a new windows install with a new windows key, as im able to play my games and do everything i want i'll deal with it

report_2023.09.20_09.36.54.txt also, i'm fresh installing windows again but this time making it so I have access to the fixboot commands, and using an ISO from a separate device.

Pretty sure it has a driver its using to do this, perhaps through the MBR but it shouldn't be happening still because I had formatted every single drive i can promise you that, I will be repeating that process tomorrow but from a USB on a laptop so its a clean ISO. ufadraow.sys

Hello Currently the link provided https://free.drweb.com/ just shows a grey loading page, and doesn't happen to load anywhere, it just stays grey.

Alright, ill be following up tomorrow as I'm currently busy

Dont you get constant logs with people who have programs and not fresh installs? i'm actually confused like do u want me to go back to the restore point his program made.

All these 3rd party programs are clean I can assure you that, they're typical things you see in most machines the tweaks tho just came from the video u sent me that i used with his powershell tool, not sure why it'd have anything to do with the hijacked machine

Well these are all just freshly installed programs from christitus's tool from the clean install video, edge thing is probably what was used to disable microsoft edge as I just did that he did, same goes for onedrive it's light modifications, but I can uninstall these programs to make it easier if you'd like

here are the logs mbst-grab-results.zip

also is this normal for a fresh install

Hello i made the usb drive with the media installation program thing they use on the website that just installs it on the usb, also I can assure you ive freshly installed completely everything and right now I just had to initialize my disks after deleting all partitions within them, I have a question tho my nvme i used to install windows jas a recovery partition of 674 mb, is this normal?

I don’t believe im the only one who has had this issue https://answers.microsoft.com/en-us/windows/forum/all/i-have-a-boot-x-virus-and-i-can-not-get-ride-of-it/ff174573-04c4-4a99-908c-229fec69c3a8

I have windows 11 now tho, if youd like me to send logs no clue if that’ll help

disk 2 is my boot, disk 0 is a ssd i have, disk 1 is a hdd disk 3 is the usb

Im gonna be honest I probably have a bootkit of some sort

Ok im probably overthinking it, as ive already done all the steps you said im going to go through with installing windows 11

I want to mention its running my Cmd via that boot drive folder, or what not.

Looks like ive got all drives showing now, but they all have 116mb of unallocated space that cannot be fixed, and boot X remains ill be waiting for ur response to do anything else

I was able to get rid of all partitions except all drives and such, but it still shows boot (X:) when browsing drivers, if i had never clicked to browse i would not hwve found it.

It says the unallocated 23 gbs is an MBR partition, how do i delete this damn thing?

Im typing on mobile at the moment, one of my SSDs has 23gb of unallocated space, when going in the menu to see drives/drivers I have a random drive called boot under the letter X, that has winSxS and a public user and all these windows folders, I’m not able to delete it tho somehow, and using diskpart it does not show up Not sure if this is a normal thing, but winSxS was one of the folders that was hijacked, also when trying to make the 23gb unallocated space an assigned thing with space, it does not allow it. I do not know where the boot drive is coming from, with the letter X also want to mention when using secure boot it said my keys were modified but i’ve never modified any of the keys on it, maybe some bios options for cpu thats it. if you could get back to me asap it’d be helpful!