Jump to content

Need help with deep rooted malware. Factory reset no matter


Recommended Posts

Hello mdes,

I do not see any specific malware or infection in your logs. There is however evidence of system file structure issues from system error log..

Quote

A file system index structure contains entries that violate ordering rules.  The file reference number is 0x100000000001a.  The name of the file is "<unable to determine file name>".  The corrupted index attribute is ":$R:$INDEX_ALLOCATION".  The corrupted subtree is rooted at entry number 0 of the index block located at Vcn 0x576.

Open an elevated command prompt and run the following commands, hit enter after each command..

Open an elevated command prompt and run the following commands, hit enter after each command..

CHKDSK X: /F replace X with your system drive letter, usually C or D etc..

DISM /Online /Cleanup-Image /RestoreHealth

SFC /SCANNOW
 
Let me know the findings..
 
Thanks,
 
Kevin
Link to post
Share on other sites

I've attached the debug log from adware cleaner and the scannow logs and corrupt file fixes. So, what kind of corrupt files? I've had a flickering screen, been locked into the BIOS screen,  I was blocked from each antivirus I tried to download (blocked the download and websites the antivirus were on), I'm at home logged in as admin on private network on a computer no else uses and I got Locked out by my "IT admin". I done 3 factory resets and nothing fixed it. However, it says those corrupt files are fixed so I'll cross my fingers

CBS.log AdwCleaner_Debug.log

Link to post
Share on other sites

I was able to run CHKDSK because it was in use by another process. Sfc scan said  I had a boatload of corrupted files and that they fixed them. But they didn’t. I’ve got about 15-20 tcp/udp connections through the firewall (remote and local).  Whatever it is can change settings after I leave the page. It’s downloaded 15 updates to Windows Defender that I’m assuming renders it useless. Those might look like normal windows files but they’re not. Maybe they are and it’s somewhere else. 

Link to post
Share on other sites
user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply
Link to post
Share on other sites

Well, not in the sense that it’s fixed. Someone has full remote capabilities, I believe because they got to my Azure acct and SSOauth tokens. The malware loaded immediately at boot up and disabled all antivirus and loaded other programs that looked strikingly similar to other Microsoft programs. Any download of other anti malware was blocked or used for more malware. Doesn’t really matter if they have remote access and System level permissions. As of now my pc is disabled. It would seem as though I’m under attack. 

Link to post
Share on other sites

Hiya mdes,

There was no evidence of what you describe showing in your FRST logs. Did you try Autoruns, maybe that log will give more insight to what is happening with your system.. Also give the following a try:

Offline scan for windows 10

Open the search function, type or copy/paste Windows Defender Security Center then select ok to open that option.

In the new window select Virus and Threat Protection then select Scan Options

The scan options window will open, from there select Windows Defender Offline Scan

You will be given the option to save any opened work etc, then select Scan from there when the scan completes Windows will reboot..

To check for found entries:

Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen select Protection history.

If entries are shown as "Found" the time and date will be same as the offline scan just completed.....
 
Thank you,
 
Kevin....
Link to post
Share on other sites

Are you indicating your computer is disabled after running offline scan with Defender..? Not sure what you mean by remote access.?

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.