Jump to content

Verification after infection removal

Recommended Posts

Hello Malware Fighters!

My PC was infected by a HKU\S-1-5-21 related trojan. Since the infection keeping back after removals I decide to tottaly nuke a HDD (3 x Low Level Format + Manual "Zero Fill" first 1MB on a drive).

Now i need to find out that my system is totally clean, because after fresh installation of OS my PC works rather slow and some fonts in system windows are blurry. Also a task manager shows a lot of processes that look like an infection (Lanman Workstation, mDNS, server etc.). After spending some time with a Microsoft documentation I think those tasks are OK, but I'm a little paranoid now :) And last thing - it is possible that Windows become activated even if I didn't log in to my MS account?

Please help me to figure it out.



Link to post
Share on other sites

  • Root Admin

Hello @Sushi414 and :welcome:

The logs are not showing any obvious signs of an infection. Let me have you run a few different scans though and we'll see if anything turns up.


Please run the following steps and post back the logs as an attachment when ready.


  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.


Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.


RESTART THE COMPUTER Before running Step 3


Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not




Link to post
Share on other sites

Hello Ron @AdvancedSetup, thank you for your reply! 😃

I do all the steps, as you tell me. Please keep in mind, that PC was untouched until my last post. Result is always the same - everything is good, nothing was found and PC is safe😋

"Andrew" of course back with all his family (yeah, after a month of fighting I give a name to it - lame, I know 😜), and here is a brief description of what happened:


I have installed MBAM and start a scan. "Andrew" don't like Malwarebytes and IObit (if installation of IObit Malware Fighter don't be very quick - just after the OS installation - it is almost impossible to install, you can see miracles on a screen 🎆 "Andrew" is a wizard 🧙‍♂️). I only clicked on your link to download MBAM, and all fans starts spinning. Anyway, all the times result is the same - 0 detections, PC is safe! It's no matter what software is used to scan - probably I have tried every possible - free and premium (we spent for now 700$ for the software...). Log is in the attached zip.


Traditionally, AdwCleaner is the only software that is detect something and removing. Yes, as you probably expect it was IObit files and tasks. I of course follow your steps and click to clean, and than allow to restart. This is the moment, that "Andrew" like very much! Nothing is now forcing the DNS correction and nothing helps a Windows Defender - with all the settings on a paranoid level configured. The time of restart is the a time of the most OS modifications. After reboot you can see now good old welcome screen with always the same photo. Generally everything looks perfect, and fans stops spinning. But when you check a Task Manager you can see 100-150 background tasks, 80-200 (!!!) system tasks, if you have opened a browser like I right now, for every opened card you have 5-10 tasks. Of course service-workers are already registered and keeps working.

But something is new, these beautiful alert in console never appears earlier:


As I mentioned before, Windows security settings was set to paranoid level, now of course "nothing changed" in UI, but folders protection stops working 🤔 UAC too... Mysterious!😱

But nothing surprising 😃 "Andrew" always do the same jokes when you try to tell him, that he must move out 😂 

OK, so now we don't have any protection, the scanning log is in the zip, so let's go next 😊


Here will be short, because nothing new happened. Kaspersky scans everything, during the scan it starts syncing and downloading OneDrive files marked as "not to sync". This is actually good behavior since we used business version of OneDrive, that shows files on the drive. Only noticable difference was, that now it's ONLY SCANS files with a sensitive data (email backups, business proposals and documents, databases etc.) so I decide to terminate a OneDrive task. Kaspersky continue and finished a scan successfuly - of course nothing found, everything is great. Even if the interface of a scanner lost polish letters 😅


As I mentioned, we fight with these all "Andrew" stuff from a month now (1 week before December 2018 I discover the malicious procesess and redirects or content replacement on websites). It's affect all computers in our company and homes. It doesn't matter if you have used a Windows, Linux or Mac (Linux ditributions are affected only if they use GRUB bootloader, also the infection is not so harmful. Since MacOS is a UNIX based system, there also it's not so harmful). Since it's using only legit MS Windows components for work and sets a priority for it's own tasks that they started on full CPU/GPU/Memory usage after 5-10 minutes of idle, and you don't try to remove it is very hard to detect.

The worst thing is it's PERSISTANCE! At the beginning I just try to remove a infection. Later we make backups of files and decide to reinstall systems. It didn't work of course. Later I tottaly nuke every HDD/SDD with every possible scenario and tool. With flashing of SDD/HDD new firmware of course. Still no luck. Than I realized, that I don't need any Hard Drive, because correct and original Linux LiveCD/DVD sessions without hard drive attached are also infected 😣

Sure, at the first time I also think, that I am paranoid, people with simmilair problems on forums gets feedback, that everything is OK, that stuff what they can see in /tmp folder of Ubuntu Live session are correct and should be there, that it's normal, and everything is OK.

NO, they are not OK! Spoofing new DNS server addressess is not OK! Hiding devices is not OK! Swaping system bash utils for the useless one is not OK! Example? Partition tools are configured/replaced that they do not display hidden ones also as mapping of memory and partitions. It is very easy to check with other tools (lspci, lsmod etc.) or just run on a clean PC. Also look into GRUB boot files 🤩 This is easiest.

Where I am now with my research?

For now I am pretty sure, that I found a correct place and I think that I'm close to find a solution (I get the idea at 4.00 AM).

Generally I'm a web developer and designer - so keep in mind, that I'm a total NOOB in security related stuff and also in Kernel programming things. But if even for me it looks simple and easy, and threat living on low level I think it will be better if don't will write about it here.


Since these logs zipped are not very helpful I am attaching new FRST logs.


Link to post
Share on other sites

  • Root Admin

Well if all of those different OS are being affected by some redirect it would have to tie to your Router. There is no infection I'm aware of that is able to target both iOs, Android, Linux, and Windows

I would recommend the following if you're using a home router. If you're using an actual more advanced business router then I would have someone with router security experience take a look at it.


Please review the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware, just reset your router to factory defaults.

Reset And Reboot

Hard reset or 30/30/30

Thanks again



Link to post
Share on other sites

A router infection was the 3rd/4th thing that we have checked 😐 since there was a hidden configuration made (hotspot with hidden SSID) we just bought a new router 😐

Maybe there is some way, that it connects to other devices via other interfaces... In my opinion the problem is in EFI variables "efivars". You can change a lot of things, and one of the most used features are those connected with boot process. And what is most important here, they can be very easy changed from the OS level.

If a rootkits exist, these kind of infection must also exist. It's logical for me. If an infection can make some changes to partitions on your HDD, it also can use a command, to add, remove and manipulate efivars 🤨 Every OS has it's own toolkit to manipulate efivars. Efivars are powerful, for example they can create any kind of a phony device on your PC, like USB storage device 😎 And now the best! Efivars are a standard of (U)EFI system, it means that one efivar can work on any (U)EFI device! Boom... 🤯

 💩 "Thank you Intel for another buggy crap!" 💩

A one thing that I can't understand is a storage handling and memory mapping. All efivars are stored in NVRAM and I can't figure out, how much storage space there is, because it will determine where all the configurations are stored. In my case, all configs are loaded into memory even without a hard drive attached or any other physical storage and with no internet connection I think, without any Internet connection.

Of course it's good to have some proofs 🤗

My efivars:


One I can say here, that vars like MsdmAddress, lvar, L050krData and some more are DEFINITELY non-standard! Also, I made some changes between different OS installations (I have tried Ubuntu, Fedora, Windows 7 - 10, OpenSuse, Kali and some old Kubuntu and Ubuntu distros that I found in a box) today. Some of them appear between OS installations, but none of them vanished (excepted those created by a firmware itself).

A lot of feedback gives me an OpenSuse installation. Here is a mapping of a subvolume, that is mapped only to system partition (and I can't remove or bypass these mapping at the install process):


Of course, you can say that this BTRFS filesystem, as other modern filesystems provides an encryption solutions! Sure, than mapping is made this way:


Cool! 😜 But now we know at least, what is mapped and where 🤗 I also tried to modify a startup command in GRUB command line, but with no luck. Probably I don't know how to do it properly or maybe it's impossible. I never do things like these before. But GRUB gives me some more informations:


If we add another informations from a Lenovo UEFI Diagnostic Tool (unfortunetly, I didn't take any photo) we know, that we have two fake USB devices. The most probably scenario IMHO, is that infected EFI boot files from OS get some bug and create another one USB device. Another scenario is that one device provide some configs before a bootloader, and another one after it. One thing I am 100% sure, that everything happen on a boot process. Period.

Some good news...

During all those installations I have found a solution to bypass all these changes in Linux systems (at least in Ubuntu installed on a HDD). After installation of a system we need to boot again, but from an USB/CD to a live session. Than we need to install an alternative bootloader (rEFInd or Clover, probably any that is not a GRUB). After that we need to uninstall GRUB, remove all GRUB related configurations from a HDD, next we need to install GRUB x64 EFI only package and generate new efi boot files (grubx64.efi) in a location other than default. At the end we need to update a path of an Ubuntu entry in a configuration .plist file of our new bootloader. It must point to our newly created grubx64.efi file.

After reboot we should see our new bootloader. After choosing an OS to boot, we should get a clean (Ubuntu in this example) system ready to work.

But it not remove an infection...

Yes it's not. Also I can't get this to work for a Windows. Until I find a solution how to reset all the settings in efivars, another solution worth trying is to set a bootloader to boot a system from a VHD. (U)EFI allows that and much much more, but probably if you know how to do that, you probably know how to reset all the efivars settings 😜


I found some more, but I will write about it in a PM @AdvancedSetup Ron! 😎

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.