Jump to content
Ryno2Rhino

Malware w/ increasing aggression & tactics help

Recommended Posts

Hello there. So my Toshiba Laptop has been under attack for awhile now. At first it was fairly harmless, although present, but didn't interfere with day to day operation. I read dozens of posts regarding ways to eliminate and tried a few. I went to bed patting myself on the back and reflected on just how smart I was to outwit this malware. I woke up and found my computer essentially unusable. I no longer had admin privileges, I couldn't run any AV scans, can access any programs pertaining to the computer i.e. command prompt, notepad, windows security, regedit, etc. I'm also unable to access the internet, the webpage displays "can't access website right now. Check spelling and try again." I am currently writing all of this from my phone. I would appreciate any help and thank anyone in advance for whatever advice they may give. I look forward to hearing from someone.

Share this post


Link to post
Share on other sites

Hi,

Very sorry to read all this.

Q:  Is this the same Windows 10 machine where it has issues & you posted back in March ?

 

Q:  Do you have a Windows rescue disc or rescue USB-flash-thumb drive?

Q:  Do you have a complete recent backup  ( on offline media) of this system ?

Q:  Have you tried to get this Windows into SAFE mode ?    Just for research ?

Q:  Do you have any other ( working) Windows pc at your home ??    That can be a big help resource.

It is so so very difficult to do anything to help unless you get into some mode of Windows on this system.    You cant do any fixes from a smartphone /cell phone.

 

Note:  Safe mode with Networking would be ideal.

We need to get the pc into windows Safe Mode, so we can have you run Malwarebytes there.

 

lets get the machine into Safe mode with Networking.

This article is a how-to on how to get to safe mode for Windows 10 
· Windows 10: http://windows.microsoft.com/en-gb/windows-10/start-your-pc-in-safe-mode

Share this post


Link to post
Share on other sites

Hey Maurice! Thank you very much brother for generously spending time helping me out with this headache. Now to answer your questions..

Q:  Is this the same Windows 10 machine where it has issues & you posted back in March?

A: No it is not the exact same one. Unfortunately that one didn't survive an incident where I accidentally threw it against a brick wall. But a lot of the issues are similar and may prove to be infected with the same thing because I'm pretty sure I was transporting it and loading from infected USB.

 

Q:  Do you have a Windows rescue disc or rescue USB-flash-thumb drive?

A: Yes I have a USB thumb drive with W10.

Q:  Do you have a complete recent backup  ( on offline media) of this system ?

A: No I do not

 

Q:  Have you tried to get this Windows into SAFE mode ?    Just for research ?

A: Yes I have been able to get into Safe mode. Although when I am in safe mode, I am no longer able to type anything. Anywhere. It basically doesn't recognize that I'm typing. I can go around and click stuff, but no keyboard input.

Q:  Do you have any other ( working) Windows pc at your home ??    That can be a big help resource. 

A: Yes I do have one more working pc.

Note: Safe mode with networking would be ideal.

A: I am able to access safe mode with networking. Once in this environment, i can sign in to my wifi but no websites will load. It says can't find site or check spelling etc. Also my keyboard doesn't work, so I can only click home, which doesn't load anything. I'm basically locked out.

With that in mind, how should I proceed? Download MWB to USB and run it from there? I'll wait to hear further instruction.

Fyi - Up until recently this infection hasn't effected or impeded anything I tried to do. When I decided to go on the offensive a few days ago, I began by using my Lenovo All in one desktop. I began downloading various AV programs & started scanning, deleting, removing, and exterminating. I thought I wiped it from Lenovo AIO. Everything was working great and I went to bed. I turned it on the following morning. It loaded and ran for about a minute. Then my mouse stopped working, I saw a cmd prompt window open and close a few times, and then BLACK. Screen went black and haven't gotten it to display an image since, not even the startup BIOS screen. Anyway long story...umm..less long..it seems to be that it ramps up aggression when I'm trying to remove it. The only thing I've ever found was one scan mentioning Andromeda. Aside from that no program has ever detected anything.

 

Share this post


Link to post
Share on other sites

Be very extremely careful with any USB-flash-thumb drive that you have.   It has to totally free of any malware !

If you are using a wireless keyboard, switch to a wired keyboard.  But since you say this is a Toshiba laptop, that does not apply.

 

The USB you say you have  " Yes I have a USB thumb drive with W10"  ......   what exactly is on it?  Was that produced by the Microsoft Windows Media Creation tool ??

NOTE also, if the keyboard is not usable , that is a show-stopper.

NOTE Malwarebytes cannot be run from a USB.   Malwarebytes has to be installed in Windows on the system before you could run it.

and if there is no usable keyboard,  that again is a show stopper.

 

I presume it is a solid screen with no characters displayed of any sort.

 

[ 1 ]

IF you run into a "black screen" when Windows is starting up,  keep the following in mind.

Look on the keyboard. Try some key-presses on it.

Tap on the ESCAPE key once or twice. See if it gets some stuff changed on screen.

Tap the space bar. Tap the Windows-flag-key. Perhaps you may get some movement on screen that way.

 


[ 2 ]

Let us see if you could simply just get this machine powered off and then Restarted.


*Do unplug all devices from your computer, including: Printers, scanners, copiers, external attached devices, etc.*
*The only devices you should leave attached to your computer are your monitor, mouse and keyboard, if the computer is a desktop.*
*And if this PC is a laptop or notebook be sure it is directly connected to Power with power cord.*

Turn off your pc. By pushing the power off button.

IF the machine is a laptop or a notebook, press and Hold the button all the way down until you can hear the disc to stop spinning.

 

Wait about a minute.
Then do a power on to Restart your pc. Then let Windows load up.   If it does not succeed, keep repeating this cycle.   It would eventually come around to offering you some repair options.

 

[ 3 ]

Be sure that you study this Microsoft help article about starting Windows in special modes.

Start PC in safe mode in Windows 10
https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode

Safe Mode with Networking adds the network drivers and services you'll need to access the Internet

 

Also see  https://support.microsoft.com/en-us/help/17419/windows-7-advanced-startup-options-safe-mode

If none of the Safe modes can be loaded, retry the power off/ power on cycle again, and then try to get to Safe mode with Command prompt.

I would like to know if the latter is possible.    But also keep in mind a working keyboard is a must.

Share this post


Link to post
Share on other sites

Hey Maurice I hope your day is going well. So in an attempt to elaborate and offer up as much info as possible to aid in finding a solution, I think parts of my reply were unclear and thus confusing. I apologize for that. 

Q: The USB you say you have  " Yes I have a USB thumb drive with W10"  ......   what exactly is on it?  Was that produced by the Microsoft Windows Media Creation tool ??

A: This recovery USB was created with the MWMCT, and that is the only thing that is on it and ever has been on it.

Q: NOTE also, if the keyboard is not usable , that is a show-stopper....II presume it is a solid screen with no characters displayed of any sort.

A: The keyboard works normally when in normal mode. It only stops functioning once the of is running in any type of safe mode. It seems as if it does this to prevent the user from attempting to search for AV programs, modify registry, etc. Once the pc restarts into normal mode, the keyboard again works flawlessly.

To answer your second question, on the Toshiba Laptop that we are working on, it's screen has no problems. The screen I was referring to was on a Lenovo AIO that  I was using a few days ago. That pc is unusable. Once powered on, you can hear everything kicking on and starting up but the screen is just as you described as " solid with no characters of any kind." The mouse and keyboard both appear to have no power to them based on seeing no lights displayed on the keyboard. But all of this is in reference to the Lenovo, which I mentioned in hopes that maybe some detail may help point you in the right direction. I'm sorry if that was confusing and in turn led to wasting your time.

Q: I would like to know if the latter is possible.    But also keep in mind a working keyboard is a must.

A: The laptop has no problems turning on and off, loading safe mode, safe mode with networking, and safe mode with command prompt, and it's keyboard works just fine in normal mode but refuses to work in any safe modes. I've found that I can copy/paste, which so far is the only way I've found to input text to a particular box. I began thinking maybe I could save a file with potential inputs already saved while in normal mode when the keyboard is working and then use that file in safe mode to copy and paste from when the keyboard ceases to work. But I'm open to suggestions.

So I'm currently in safe mode and am awaiting further instruction. Thanks again brother.

Share this post


Link to post
Share on other sites

So, you appear to say, that the current main issue is on the Lenovo AIO

We do not have a magical cure for a system that cant load Windows  or cannot work in Windows.

We have to be careful to only work on one single machine.   If there is a 2nd one with issues, put that away for later.

 

Your last note talks about a "laptop".  Is that the Lenovo ?   is that the one where it is in Safe mode?

In regular safe mode, there is no internet connection.   Though you can scan with Malwarebytes and also with the resident antivirus.

 

Lets go back to the very basics  and basic starters.   I did not get any good report from "this machine".   I want you to clearly identify for me which is the machine that is the one to focus on at this time.  Lets only do one.

and I would remind you, You started this whole case by describing the Toshiba machine.

 

 

Put that machine back into normal Windows.  Run the Support tool report so I can have basic information about the machine & about Malwarebytes.

We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Share this post


Link to post
Share on other sites

Did the message-box-window have a title ?   Did it look like a Windows prompt ?   Most all messages from Microsoft Windows will have a title bar.

I would like more detail about that.

Furthermore, we do need to have a basic report.

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:


"Download link for 32-Bit version Windows"

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Scan with FRST

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_ 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Share this post


Link to post
Share on other sites

Hi.  How are things ?   I was looking for a fresh set of FRST reports.   Did you see my last reply of Sunday August 4 ?

Share this post


Link to post
Share on other sites

Hey Maurice I apologize for the delay, I've been having network access problems as of late, which needless to say is extremely frustrating.

I am currently unable to access the internet on the computer we are working on, and it has removed my privlidges to do basically anything helpful or that it has deemed as a potential threat (I presume). Also I'm seeing a lot of folders being labeled now with an ".exe" And I just noticed it has set a BIOS password, preventing me from accessing the BIOS whatsoever.

I took some pics from my phone that shows the alert box when it rejects my attempt to do something, I'll add those to this message. Also when I turned it on most recently, it begun with an unpromted Windows Automatic Repair display, then a Windows is Being Repaired display, and ended with Windows Can Not Be Repaired. I took a pic of the final display with the error code it gave, maybe that can lead us somewhere. I'm open to any suggestions you have because I'm out of ideas. Thanks again.

P.S. As I've been going through different features, trying to figure out what works and what doesn't, I've found one particular set of files and folders that it has the strictest parameters in accessing. I took a pic of this display and the files in the folder. Something with "SQL" & "CRSS.exe" among others. Just thought I'd pass that along.

IMG_20190807_042008500.jpg

IMG_20190807_041147757.jpg

IMG_20190807_040242985.jpg

IMG_20190807_040642836.jpg

IMG_20190807_040747584.jpg

Share this post


Link to post
Share on other sites

Hi.  I am very sorry t hear all that.  The bottom line about the system trying to invoke a "Repair" , etc  is that you may well just need to Save all your personal files, personal documents, and personal data  & Save them off onto a removable media  ( USB-flash-drive ) and

then either attempt a Windows 10 RESET operation

https://www.tenforums.com/tutorials/4130-reset-windows-10-a.html

or else, an outright clean new install of Windows 10 using the Microsoft Media Creation Tool

 

As far as the internet connection issue, you should drill thru the Windows Settings  and drilling thru the Network section  and doing a thorough review.

Windows Settings >>> Network and Internet

That is the beast place to review.  Look for whether pc shows a internet connection.  Click the Show available network  and see what the status is.

Windows 10 has an excellent network troubleshooter.

and by the way, IF pc is on WIFI connection ....   then get a direct cable from it and connect to the Internet  router box.

.

Also, this script may help but keep in mind it is not a cure-all.

Start NOTEPAD { you can press Windows-key+R keys to get the RUN option
and then type in

NOTEPAD.exe


and press Enter key to start NOTEPAD.

Check and make sure "word wrap" is off. 
From Notepad main menu bar, Select F (format) and make sure Word Wrap is NOT checked.
IF it -is- checkmarked, click that one time so that it is un-checked.

Please copy/paste the lines below to Notepad:


@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset resetlog.log
shutdown -r -t 1
del %0




now Save as flush.bat to your desktop.
Double-click flush.bat file to run it. Your computer will reboot.

Share this post


Link to post
Share on other sites

Hey man how are you? So I have some good news. I ran the script you gave me, which seemed to help. I had previously been unable to do anything as far as resets or repairs, but after running the script I was able to do a system reset, and I chose the option to wipe everything. After it finished the install, things seem better. But if you're up for it, I'd like to proceed with some of the diagnostics you spoke about earlier just to double check. 

So let me know what you want first and I'll have it to you inmediately. Thanks again!

Share this post


Link to post
Share on other sites

Hello.   I am understanding that you have done a new Windows install.   Just be sure that this Windows 10 is on Build 1903.

Do a Microsoft Windows Update run.

go to the Start menu, click the Windows Settings icon. Select Update & Security.  Click on Windows Update.

 

Using Malwarebytes for Windows, do a threat scan.

https://support.malwarebytes.com/docs/DOC-1156

 

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.