Jump to content

[Please Help] Powershell/Windows apps?


Acar
 Share

Recommended Posts

I've been battling a pretty bad rootkit for about 2 weeks. [Elevated users, the de-elevation of me, CPU maxing out, forced windows updates, fake MS help forums]. 

After updating the bios and a few wipes and reinstalling some drivers I finally got my internet and graphics drivers back, but i'm not sure if i'm safe yet.

Upon connecting to the internet I'm bombarded with Windows defender trying to push new drivers on me, still have some sketchy powershell.exe files going on.  I purchased Malwarebytes premium a few days ago but do not feel safe entering my Key into this machine yet.

I also notice a collected group of files all created 3-18-2017 that can not be delete, they seem to survive wipes/re-installs of win10.

Any help will be greatly appreciated.

FRST.txt

Addition.txt

Edited by Acar
Link to post
Share on other sites

  • Root Admin

Okay, great. Nothing found which is good. Let's go ahead and run some other scans and get some more logs.

 

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Not sure if you've seen my logs? 

I've been trying to rescan with FRST with no luck, Just updated it again today and giving it another shot.

GMER pulled up a boatload of things on my initial scan, including an altered MBR. - This is a fresh wipe/reinstall mind you, aside from the tools and AV i have put back on the machine.

For the record, The lag is what started my search for infection as well as remote logins, as if i was on a VM or networked with another machine.

 

I also have the strange urls tracking cookies such as "d2wqgvap25i10a.cloudfront.net" and other like Facebook and such and I don't even use FB.

Possibly bitcoin miners? - All in all i still do not feel safe putting any Passwords/Program keys in this machine yet.

Edited by Acar
Link to post
Share on other sites

  • Root Admin

Those scanners should have removed that stuff, but let's try running a Kaspersky antivirus scan.

 

Please download and run the following tool to remove any found threats

Kaspersky Virus Removal Tool

 

But, maybe try running a full disk check first. Disk errors can also cause unexpected issues.

 

 


Please click on the "Search the web and Windows" box.

win10search.jpg.ab49407705b2ffa8728339ae


Then type in CMD.EXE and when it shows on the start menu right click and select "Run as administrator"

 

cmd_prompt_run_as_administrator.jpg.252a

 

In the command prompt please type the following exactly.

CHKDSK  C:  /R

This will tell Windows to run a full disk check, however you'll get the following, telling you it cannot run because it's in use.

Press the Y key to tell it to run on the next restart of the computer.

 

Quote

Microsoft Windows [Version 10.0.10586]


(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>CHKDSK C: /R
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

 

Then restart the computer and let it run.
Then find and copy the disk check entry from the Event Logs and paste back the results here.

How to Read Event Viewer Log for Chkdsk (Check Disk) in Windows 10

 

Link to post
Share on other sites

Tried FRST after this, And still got the same hangup -EDIT

Quote

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         

Stage 1: Examining basic file system structure ...
  204032 file records processed.                                                         File verification completed.
  20731 large file records processed.                                      0 bad file records processed.                                      
Stage 2: Examining file name linkage ...
  255400 index entries processed.                                                        Index verification completed.
  0 unindexed files scanned.                                           0 unindexed files recovered to lost and found.                     
Stage 3: Examining security descriptors ...
Cleaning up 1133 unused index entries from index $SII of file 0x9.
Cleaning up 1133 unused index entries from index $SDH of file 0x9.
Cleaning up 1133 unused security descriptors.
Security descriptor verification completed.
  25685 data files processed.                                            CHKDSK is verifying Usn Journal...
  36551512 USN bytes processed.                                                            Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
  204016 files processed.                                                                File data verification completed.

Stage 5: Looking for bad, free clusters ...
  114216232 free clusters processed.                                                        Free space verification is complete.

Windows has scanned the file system and found no problems.
No further action is required.

 487805951 KB total disk space.
  30548840 KB in 90054 files.
     66592 KB in 25686 indexes.
         0 KB in bad sectors.
    325587 KB in use by the system.
     65536 KB occupied by the log file.
 456864932 KB available on disk.

      4096 bytes in each allocation unit.
 121951487 total allocation units on disk.
 114216233 allocation units available on disk.

Internal Info:
00 1d 03 00 22 c4 01 00 b3 28 03 00 00 00 00 00  ...."....(......
00 01 00 00 37 00 00 00 00 00 00 00 00 00 00 00  ....7...........

Windows has finished checking your disk.
Please wait while your computer restarts.

 

Edited by Acar
Link to post
Share on other sites

  • Root Admin

Well that's not really much to worry about there from Kaspersky.

At this point, my recommendation would be to backup all of your documents, pictures, bookmarks, etc. to an external drive. Then FDISK, Format, and reinstall Windows from scratch so that you have a good, safe, clean computer. I'm thinking the damage done is just not worth spending the time to try to fix for you at this point.

The complexity of finding, preventing, and cleanup from malware
 

Let me know what you'd like to do

Thanks

Ron

 

Link to post
Share on other sites

  • Root Admin

Please review the following link on how to a clean install of Windows 10

I would recommend that you open your Device Manager and print out a screen shot of all your hardware so that you can go get drivers if needed. In many cases Windows 10 might have drivers for your system but not always.

https://www.howtogeek.com/224342/how-to-clean-install-windows-10/

 

Link to post
Share on other sites

==================== Loaded Modules (Whitelisted) ==============

2017-03-18 15:58 - 2017-03-18 15:58 - 000138000 _____ () C:\Windows\SYSTEM32\inputhost.dll
2017-03-18 15:59 - 2017-03-18 21:31 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-03-18 16:03 - 2017-03-18 16:01 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts

-

here are a few.

 

pc.png

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.