I believe we have a serious Malware infestation

[natebe]

Our home network is compromised, one PC dead the others in danger.

[Maurice Naggar]

Hello @natebe    

I am sorry to read of your trouble.   I must make some observations first  & also ask some very basic questions.

 

First, what version of Windows is "the dead pc"?   and know that we cannot do much if the machine cannot run anything, or if it cannot run Windows.

Why do you mention "rootkit malware "?   What tool or tools have you run that indicate or identify a "rootkit"?

Why is "home network is compromised "?   what security tool has found a compromise ?

 

NOTE, we can only work on one machine on this one case.  Not more than that.

Does each of your machine have Malwarebytes for Windows ?

What about installed antivirus program ?   what is installed?

 

Pick one machine that can run Windows   that you need help on.   and then, we will stick with only that machine.   No others on this case.

Then

do as outlined on the pinned topic at the top of this forum

 

 

Edited April 26, 2020 by Maurice Naggar

[natebe]

  here are the logs, I am including a scan of shortcuts as well. The programs on the shortcut are the same on first computer that may be too far gone.report.txtAddition_25-04-2020 22.28.38.txt

Addition_25-04-2020 22.28.38.txt

Shortcut_25-04-2020 22.28.38.txt

 

 

FRST_25-04-2020 22.28.38.txt

[Maurice Naggar]

Recall, please, I mentioned we should work on just one machine on this case.

[natebe]

Yes these logs are from machine 2. I just mentioned the other, but I will refrain from that.

[Maurice Naggar]

If you just very recently installed, Malwarebytes for Windows,  please do this now.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 
Click the Security Tab. Scroll down to 
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
 

[Maurice Naggar]

I am going to list 2 different scan tasks below.  I would like for you to do both.   Just keep going down the list.

[   1   ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
[     2    ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[natebe]

Here are the next logs that you requested. Also a system log.

 

mbar-log-2020-04-25 (23-24-10).txt system-log.txt msert.log

[Maurice Naggar]

The Malwarebytes anti-rootkit found no infection.  The Microsoft Safety scanner reports no malware, no viruses.

The Threat scan run of the Malwarebytes for Windows on 25 April reported no malware.

 

[    1    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.
 

[    2    ]     NEXT

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now

It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  

You should click to off the offer for “periodic scanning”.
 

[natebe]

I just wanted to drop in and give you an update. We have taken our machines to a local tech for remediation. I have kept the first pc, to look at the UEFI modules, devices, and files. Turns out that the virus has already compromised the firmware. Thank you for all your assistance.

[Maurice Naggar]

Thanks for the update.   I will then mark this for closure.

Just so you understand,  in my multi-decades in the pc-help & malware-fighting community,  we just have never had an actual firmware issue.

 

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.