Virus in windows 10 broke laptop now borrowed laptop is infected.

[Pastafari]

Hello i have some serious virus. It happened to me before 3 years ago. I replaced all devices and got a new router at the same time and all new accounts. This fixed it. However, it returned. I thought i was hacked on my pc. At first i saw someone was remote on my pc. Windows 10 home. I tried blocking this by turning off remote desktop services and winrm. Also did this with script in powershell. Eventually my pc broke and i couldnt start my laptop ever again. Now i borrowed a laptop. After 2 days i noticed i have a shortcut virus. At first i saw a weird device turning up. Steelseries PS/2 keyboard Forwarding device. All info unknown. I removed this and my external usb bluetooth mouse and touchpad still worked. However it pops up again after i log on or after some time again. Now i found out i have a shortcut virus. All kinds of shortcuts are created and windows dissapear and a lot of stuff is happening. I had the same on my broken laptop as i had the same issues. I have 2 admin accounts and when i log on to one account the other is also opened when i look in taakmanager. I used antivirus software and defender. Nothing was ever detected. I think my usb mouse contains badusb mallware with this shortcut virus. It spreads fast. When i open a shortcut the window it opens often changes with respect to letter calibration clearness ans size, it flashes moves in the sceen and sometimes gets screenlocked, stops working or dissapears while remaining opened in taskmanager. Its already everywhere after using this borrowed laptop for 3 days. My explorer folder and pc structure has changed in one windows account. The desktop is the highest lvl structure with my pc ans user account and settings etc below it. I cannot see the pathway for these. I can rightclick the icons and they refer to the pathway they are orriginally. I also see my laptop in connected devices with option to search inside and open stuff like settings and see the devices. There are many processes happening and it eats the processor alive. All kinds of developer options get added to my programa even i have not installed this. Also the borrowed laptop had windows 10 pro. When i received it i did fresh install. After it finished the pc had windows 10 home. I couldnt get it back even when signing in to the microsoft account linked to the windows pro 10 activation key. I cannot return to the former windows. Fresh install option doesnt provide the means to completely do so. And it doesnt work. I have a feeling other devices in my network have also been infected. I hope my router software can not be infected? It has original software from my provider and i have reset to factory few times and changed password. Malware bytes on my phone doesnt find anything. 

back to the windows 10: i looked up the registry for local machine microsoft windows current and run, the only one starting without a defined folder pathway is tiltwheelmouse.exe from pximouse. When i clicked on open file in pathfolder i came to system32. After this the window dissapeared and when i tried opening the folder again from taskmanager and rightclick on the startup item pxi mouse, there was no such option. It also changed so that no info was available and all my startup programs now showed as start from registry. I did never change anything in the registry. I only looked at it. I cannot disable the pxi mouse anymore. I wanted to disable it as i did before and all my mouses the usb and the mousepad still worked. I also saw that the pxi mouse/tiltwheelmouse.exe was linked to this weird device with no info: Steelseries ps/2 keyboard Forwarding device which i kept disabling and removing. Apparently this device is activated when i plug in the usb mouse. Disabling the device doesnt stop any mouse from working. So i think the usb mouse has somehow been infected with a virus or badusb malware and i plugged it into the borrowed device which then got infected as well. I cannot format the usb mouse so... i will just throw it away. Nevertheless, the laptop is infected already. So i googled.

I tried what was suggested on several websites with cdm.exe as admin but i didnt get rights to perform the actions suggested online. Likr disablr autorun.ink etc on windows C drive. The mouse was not connected. No other devices are only use a lancable from my router if i need internet. I tried fresh install but it didnt happen with no error messages. My firewall from norton which came with this laptops software is messed up and i have no controll to change it. A lot of things have changed in 2 days so i cannot change all options. My mouse from the laptops mousepad is moving across the screen and all sorts of stuff happen. I dont have much controll. Im sure it is shortcut virus, probably together with other malware and spyware. No clue how i got the shortcut virus on my mouse usb in the first place because i never used it on other pcs before and i never use other usbs.

All i know is that I have to act quickly. That is why im asking advice here before turning on the laptop again. I dont have much time before this laptop will be potatoes as well and i need a very effective method before I do anything myself. After fixing this virus and laptop i probably need more help by finding out what happened and if other devices connected to my network are in danger. Please help me. Ask me any missing info as it is very confusing to explain all stuff happening. I could use any help. Thanks in advance!

Edited January 13, 2020 by AdvancedSetup
corrected font issue

[Pastafari]

I cant edit my post. Sorry for the typo's i had to write this on my touchscreen phone. I wanted to add that the pc tree structure in explorer is still "normal" in the other windows user account. 

This is the device that i think is maybe the infection cause (pictures).

[AdvancedSetup]

Hello @Pastafari  and

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

 

 

[Pastafari]

My first scan of malware bytes log file i saved on 2 locations as .txt file are missing after the restart from ADWcleaner. I had an update for malwarebytes after the restart, before it i did search updates and didnt get it. I scanned again and attached it. Somehow i have 2 .txt file logs from adwcleaner. Added both. 

 

Windows Defender Smart Screen blocks me from opening Farbar tool. Before the restart i was able to open it by clicking ignore warning and start program. After the restart from AdwCleaner, i couldnt open the taskbar-attached FarbarTool because "the shortcut changed location pathway to program" or something.. Redownloading doesnt make a change.

bababa.txt AdwCleaner[C00].txt AdwCleaner[S00].txt

[Pastafari]

Note: I didnt scan with farbartool when i downloaded it and opened, because i was performing step 2 at that point. So i didnt scan and i cannot scan right now. Do i need to disable Windows Defender Smart Screen? Also, my other account seems to log onto windows at the same time and performing processes. I clicked on logoff user. I didnt log on in the first place it is also protected with password. Another note: my mouse is moving to the right side of the screen very often… Without me doing that. I move my mousepad somewhere and it doesnt listen and the mouse in screen goes to the right. Another thing: I saw flashing windows from CDM.exe opening and then dissapearing from my screen.

[Pastafari]

It worked. But this laptop is starting to catch fire it is so hot.

Addition.txt FRST.txt

[AdvancedSetup]

I'm not seeing any real signs of any infection. Maybe try making a new user profile and restart the computer and log into it and see if you're still having any issues.

 

[Pastafari]

I already did this. The other account gets auto logged when i log into my other one without me doing so and runs programs i see this in taskmanager. Why is this happening? I have set passwords and ctrl+alt+del before logging on. Also i cannot fresh reinstall my windows..why? Why can i not go back to "factory", and why is my mouse moving around and why did i loose control over my antivirus from norton. I did these scans after a "fresh reinstall" which failed but had some half sort of reinstall for windows. Maybe this removed some of the infections and are not visible now? Maybe it would show if i wait till it spreads again. All shortcuts and my laptop tree structure in explorer seemed back to normal after my sortoff windows reinstall. Windows pro 10 is still not activated which was this laptops windows version before i borrowed it. I logged on with the owners microsoft account originally used before i got it, so it should upgrade back to pro 10 with digitally activated key, but i cant activate pro. 

The laptop is extremely hot when i start it even without running programs. This wasnt happening before. 

I still have the weird keyboard forwarding device being connected and i havent used my usb mouse. Disabling and removing doesnt help it from coming back. Nothing is known about this device. 

 

[Pastafari]

Also, my other pc broke completely after malicious stuff like i described was going on and is now dead, no sign of life... ? That wasnt a coincidence happening right after i found out something was wrong. And 3 years back the same thing, 3 laptops broken. Back then 3 ransomware types ans 3 types of other malware were found with antivirus before it completely broke. One was idp.alexa, forgot the other names. Lost all my personal files. Phone got locked too. I notice the same type of weirdness happening now as back then. Before those malware types were found i tried a lot of scans with antivirus and they were undetected for the first months even though i knew something was wrong.. 

And: i see a lot of settings being disabled for me by "my organization" that were not a day before that.. 

[Pastafari]

And why did i have 63 lost partitions shown in deep scan? 

 

My EFI wasnt empty, the second before i restarted the pc i took this photo. Restart never happened and the laptop died completely. 

 

Laptop also became some weird share i have no clue what that was. 

 

Also saw that the conected pc was running windows 10 pro. Note that i disabled winrm and remote desktop etc, also in powershell. These pics were the hours before the laptop died last month.

[AdvancedSetup]

You may have some type of hardware issue but the logs and items you've posted are not signs of an infection.

I would highly suggest you check your hardware and obtain hard drive testing software from the vendor that makes the hard drive on your system and see if it's having a failure or not.

 

[Pastafari]

Okay buy this is another laptop.. why would both have hardware failure. By the way this laptop seems more infected again. Malwarebytes gets stuck so i did support tool, which repaired it for a second. Then i did the scan logs and farbar. It got stuck as well. I cannot restore to saved system backups they go missing all the time.. i have many backups and system copies on the 2nd disk but they fail. Also my borrowed phone keeps getting connecting to network and connecting to other devices sharing options which i do not controll over... probably my network infects the devices and i suspect a rootkit. 

One thing: i had to go to my former email to open a doc because i needed it. This email was in use 3 years back when i had the similar type of attack. I didnt open the document. I only send it to someone to print it. I also send it to scan@virustotal.com and the report said there was no malware or virus found in the mail attachment. 

[AdvancedSetup]

Unfortunately we are experiencing an issue with some user machines where scans are not completing so it's very likely you've run into that issue as well. We're hoping to have a fix for that out within a couple weeks.

I would make sure your Router has not been compromised. I doubt it but better safe and make sure.

 

Please review the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware, just reset your router to factory defaults. Then ensure you have a unique strong password on the router Admin settings.

Read ALL Warnings before making any changes.

Reset And Reboot

Hard reset or 30/30/30

 

 

[AdvancedSetup]

Hello @Pastafari

Just following up to see how things are going and to see if you needed any further assistance or not

Thanks

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks