Jump to content

Persistent infection2 no acces to programsNotDetectedby MB, ButByVirusTotal


Recommended Posts

Hi i have a persistent malware infection in win10x64 (latest updates till aug 2018)
i have did clean install several times (i have other drive as well that has data which was not formatted) but after working for some time infection returns usually after reboots or installing software or doing windows update etc.

following happens 

1)avast antivirus does not detect any thing but continously uses around 10% CPU. 
2)installed malwarebytes, but some times it works other times malware protection and ransomware protection turnf off by own and do not turn back on. if i run chamleon with malwarebytes windows open, it says malwarebytes not installed and tries to install it but fails and all files are deleted from malwarebytes folder, then if i manually insall malwarebytes it installs  but alfter reboots same issue.
3)bitdefender antivirus does not detect any thing.
4)comodo antivirus also does not detect any thing but uses 25% cpu.
5)Avira antivirus also does not detect anything.
if computer goes to sleep or if it is restarted, then the password of computer gets changed by malware i have to reset using 3 secret questions (win10x64).
6)if malwarebytes is able to work then ok otherwise taskmanager or any other app says you dont have permissions etc.

Also System  tries to go udp pot 137 log copy of outpost firewall blocked logs 

    SYSTEM    OUT    UDP    131.253.61.86    137    
    SYSTEM    OUT    UDP    131.253.61.82    137    
    SYSTEM    OUT    UDP    131.253.61.64    137    
    SYSTEM    OUT    UDP    13.107.4.52    137    
    SYSTEM    OUT    UDP    104.27.128.190    137    
    SYSTEM    OUT    UDP    104.20.94.33    137    
    SYSTEM    OUT    UDP    74.125.24.188    137    

hence now formatted system and reinstalled win10x64 (i have other drive as well that has data which was not formatted)and installed emsisoft antimalware, it also does not detect any thing.

ran Autoruns and the found detected viruses by virustotal. 

entries of virustotal show some files are infected but that has been detected by one antivirus company only. I copes all these files to a folder and zip them and ran analysis on virustotal 
https://www.virustotal.com/#/file/47b4b566e2de3e7f73a554073ba028a5b165f0918c8ec134aef9378aade196d9/details
and hybridanalysis as well
https://www.hybrid-analysis.com/sample/47b4b566e2de3e7f73a554073ba028a5b165f0918c8ec134aef9378aade196d9
, they said infected.
 uploaded on of the files to hybridanalysis.com and ran on win7x64 it also said infected. but not detected by MB.


Also when the infection first started display driver told to be corrupt etc and now or then intel display componets asked for some permissions to ntoskernel etc and wifi stopped working and dns service took large CPU percentage, with only bitdefender installed at that time. so went to wifi adapter and put manual IP and dns. then it worked. however it used to work without that in past.
As avast was taking high cpu and not detecting anything so renamed its folder (in safe mode) in programfiles but did not uninstall it.
Also ran the aswmbr.exe avast rootkit tool earlier but it gave BSOD when trying to read xbox drivers(like xinputhid.sys shown as virus by virustotal.com (https://www.virustotal.com/#/file/682d1f32dd1bbeb031d5129ce40d9c77d3c6cf4fb5979f1918b2482af617b5be/detection)  https://www.hybrid-analysis.com/sample/682d1f32dd1bbeb031d5129ce40d9c77d3c6cf4fb5979f1918b2482af617b5be) and showed for a split second that that file was locked so used ubuntu to delete all the xbox drivers thinking they might be infected, used autoruns to remove them from loading in drivers and services. (deleted xboxdrivers included as zip). it still did not run fine and gives BSOD in end.

so installed malwarebytes but it got disabled by its own on reboots.

So installed emsissoft but it did not detect anything. however automatic password changes stopped and malwarebytes also works everythime now guess it can not handle malware without emisoft support.
Also I have many portable apps from portableapps.com but some of them work other do not at all however they can be seen in taskmanager. for those who work emsissoft saays it looks like malware but i says it to trust it only then it runs. is it normal. portable apps are on  drive other than system drive.
Also if i disable emsisoft malware and malwarebytes (as i did for frst scan), and then restart emsisoft then SERVICES.EXE wants access to exe's of emsissoft according to outpost firewall. and when access is granted emsisoft window open but hangs with coursor busy and no other program opens as well. so basically every window that is already open will be working but as you try to do something that program hangs as well. and i have to restart. and malwarebytes did not start even.

also my firewall tells my browser want direct disk access Dr0 so i disallow it.

frst scan included. do u have a rootkit scanner that can be run from usb like offline scan. Also can emsisoft be asked to report on UAC automatically if the services have been disabled.

pls let me know what can be done next.

regards.

Addition.txt

AdwCleaner[S00].txt

FRST.txt

Infected files.zip

MB threat scan summary.txt

xbox deleted files.zip

Link to post
Share on other sites

HI Malwarebytes support can some one reply pls to my issue.

 

I had same issue few months back  so this time also i did full format and re install again after this post but infection came back. after i install any software even if downloaded the file a new from internet like firefox  etc.

 

actually system stopped working at all so used a old image backup to restore windows 10 clean image on computer also formated other drivers before doing so, but as it happens in past this time again the infection came back.

So when just it was working fine ran autoruns and saved the entries  and ran again when it got infected on its own and save entries again, how ever it is to mentione here that other exe were not opening at all but autoruns.exe ran fine if run without admin previledges.

 

I have made a vmware machine of the infected system which behaves in the same way.  if u want i can share the autoruns before and fater the infection  Or i can share the whole Vmware virtual machine if u want (Several GB) malwarebytes did not install in normal mode access denied to exe msi etc.
so boot into safe mode and installed malwarebytes and ran scan but nothing was found.

however normal boot mode started working after taking high cpu usage and no longer denies exe msi, i have uninstalled all extra software to make vmware machine light.

but the malwarebytes does not detect anything even after update.

frst and malwarebytes logs attached from vmware as system is not longer working hence using vmware on ubuntu.

 

kindly do reply back. if some one can.

 

regards.

 

Addition.txt

FRST.txt

malwarebytes report.txt

Link to post
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.