gothubbed Posted April 28, 2021 ID:1453812 Share Posted April 28, 2021 This hard-to-catch, tricky rootkit that no one can seem to find but I know it's there. Here are logs from Farbar: Thank you . FRST4-28.txt Addition4-28.txt Link to post Share on other sites More sharing options...
gothubbed Posted April 28, 2021 Author ID:1453816 Share Posted April 28, 2021 Incidentally, I believe the hackers files to be on the HDD's or in the other partition of the main drive , the ssd. So you may not see them on this partition. I had looked up a folder I didn't know "shldr" and it led me to this forum with a problem very similar to mine. I found the folder on the D drive which is one of my backup HDDs, not my main drive. Thank you. Link to post Share on other sites More sharing options...
kevinf80 Posted April 28, 2021 ID:1453817 Share Posted April 28, 2021 Hiya gothubbed and welcome to Malwarebytes, Run the following: Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Thank you, Kevin Link to post Share on other sites More sharing options...
gothubbed Posted April 28, 2021 Author ID:1453884 Share Posted April 28, 2021 Hi thank you for your prompt attention to this matter. Here are the logs. "New threats were found on your computer during cleanup..." So I'm running it again. SophosVirusRemovalToolXXXXXXXXXXXXXX.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 28, 2021 ID:1453899 Share Posted April 28, 2021 Thanks for the update, let me see the new log when complete.. Link to post Share on other sites More sharing options...
gothubbed Posted April 29, 2021 Author ID:1453931 Share Posted April 29, 2021 Hi Here is the next log. The times do not look right.. And so I got the same "new threats were found..during cleanup" . Since it's taking about 2-4 hours per scan, it's most likely going to find "new threats" each time just because it cannot successfully fix or remove the malware. But I don't really think the issue is that. What I've been experiencing these past few months is something I've never come across or seen before. Sometimes I think that just since I got this computer last year and started for the first time using windows 10, that because ms is so intensive with all the processes it utilizes, I could be mistaking some what is going on with ms and win10 however I've seen some malware do some crazy ish, like change windows account passwords, change and set to trigger and lock many of the services. Screenshot of some services below. So should I run sophos again? Thank you so much for your help. ~~~~~~~.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 29, 2021 ID:1453998 Share Posted April 29, 2021 Hiya gothubbed, The last Sophos log has flagged key gens (licence key generators) for cracked software as malicious, that may or maynot be true. However, we see infected systems here at this forum and the underlying cause can be attributed to such software. The ones flagged on your system are located on E:\ drive: Quote 2021-04-28 23:14:06.395 The following items will be cleaned up: 2021-04-28 23:14:06.395 Mal/Packer 2021-04-28 23:14:06.395 Mal/Packer 2021-04-29 00:01:23.083 >>> Virus 'Mal/Packer' found in file E:\wd ext drive\Downloads\The Psychedelic Screen Saver v2005.0522 by s0m.zip\PS Keygen.exe 2021-04-29 00:01:23.083 Disinfection not offered 2021-04-29 00:01:23.196 Disinfection failed [0xa0040208] 2021-04-29 00:01:23.328 >>> Virus 'Mal/Packer' found in file E:\wd ext drive\My Documents\Downloads\The Psychedelic Screen Saver v2005.0522 by s0m.zip\PS Keygen.exe 2021-04-29 00:01:23.328 Disinfection not offered 2021-04-29 00:01:23.333 Disinfection failed [0xa0040208] 2021-04-29 00:01:23.334 Error: cleanup failed. The program "The Psychedelic Screen Saver" does not show in the installed programs list on the addition.txt log from FRST, I assume you`ve not used that cracked software..? If the key gen does carry malicious code then it can only infect your system when the key gen is used to make the software appear to be legitimate... Can you disconnect the extra drives and run the following on your main drive... Please download Malwarebytes Anti-Rootkit from here: http://downloads.malwarebytes.org/file/mbar Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable) Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process. When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt Thank you, Kevin.. Link to post Share on other sites More sharing options...
gothubbed Posted April 30, 2021 Author ID:1454327 Share Posted April 30, 2021 Hi Kevin Thank you for your help . I physically disconnected both HDDs(boths power and data plugs) so it's running on just the SSD. Ran Malwarebytes Anti rootkit but it doesn't find anything. Says no malware found. The have a trial membership with sophos home and it keeps bringing up a file ipnetinfo.zip. Also, and I took a screenshot of it. About 2 to 3 weeks ago and a new windows account appeared. I did not make this account. It asks a question about domains right there. I did not do this , I didn't even make the account. I do have two accounts on the machine "giant" and "pk 141" but other user is not me. I'm the only one that has access to this machine. And the psychedelic screensaver thing I think I've had for years and years , I came with some other software, I forget now what it was. Can I go right into where the file is and just delete it? But as for Malwarebytes, it says I'm clean. But I've had this malware hide files on the machine, then flush the data. Hidden volumes that say they are recovery disks and probably are but other stuff has gotten stored on them. This "other user" account has got me baffled, I'm posititve I did not create that account. Whatever this thing is it seems to have administrative control through some remote access. All that gets turned off anyway when ever I have to reset-never liked having those accessible. I also have started taking counter measures by following the post at the top of this forum Tips to help prevent infection. Made a proton email address and oh yeah the vpn they offer for free, is it safe to use their free vpn or is it worth paying for ? I'm trying to shop around for a good vpn and a good anti virus. Thanks again Link to post Share on other sites More sharing options...
kevinf80 Posted April 30, 2021 ID:1454369 Share Posted April 30, 2021 Hiya gothubbed, The accounts showing in FRST log "Addition.txt" as follows: Administrator (S-1-5-21-413066963-3690011349-1779799839-500 - Administrator - Disabled) DefaultAccount (S-1-5-21-413066963-3690011349-1779799839-503 - Limited - Disabled) giant (S-1-5-21-413066963-3690011349-1779799839-1001 - Administrator - Enabled) => C:\Users\giant Guest (S-1-5-21-413066963-3690011349-1779799839-501 - Limited - Disabled) pk141 (S-1-5-21-413066963-3690011349-1779799839-1007 - Limited - Enabled) => C:\Users\pk141 WDAGUtilityAccount (S-1-5-21-413066963-3690011349-1779799839-504 - Limited - Disabled) All of those accounts, excluding your known accounts are legitimate and will be found on a Windows 10 installation. Lets run a check on installed accounts through cmd.exe for confirmation... Open and elevated command prompt, at the prompt type or copy paste: wmic useraccount list full then hit enter. Allow that command to complete... From the command window select > C:\ from top left corner of command prompt window. Then select > Edit then Select All that will highlight all script in the cmd window Then select > C:\ again from top left hand corner Then select Edit then Copy That will save a list of all accounts to the clipboard. Open Notepad > right click into the text area and select Paste That will copy a list of all accounts to Notepad, name it Acclist and save to your desktop or a folder of your choice, attach to your next reply... Thanks, Kevin.. Link to post Share on other sites More sharing options...
gothubbed Posted May 1, 2021 Author ID:1454384 Share Posted May 1, 2021 Hi Here's that list: Thanks Link to post Share on other sites More sharing options...
gothubbed Posted May 1, 2021 Author ID:1454385 Share Posted May 1, 2021 Sorry wrong one. Here: ^^^^^^^^^^^^^^^^.txt Link to post Share on other sites More sharing options...
kevinf80 Posted May 1, 2021 ID:1454437 Share Posted May 1, 2021 Hiya gothubbed, The accounts you`ve listed there do tally with the listed accounts from FRST log "Addition.txt" I do not see any anomalies.. The screen shot you listed showing an account listed as "Other User" That is the option to open one of the installed accounts from the lists we see via FRST and confirmed using command prompt.. The accounts listed other than the ones you created are not active, hence you have only one showing as "Other User" Administrator (S-1-5-21-413066963-3690011349-1779799839-500 - Administrator - Disabled) DefaultAccount (S-1-5-21-413066963-3690011349-1779799839-503 - Limited - Disabled) giant (S-1-5-21-413066963-3690011349-1779799839-1001 - Administrator - Enabled) => C:\Users\giant Guest (S-1-5-21-413066963-3690011349-1779799839-501 - Limited - Disabled) pk141 (S-1-5-21-413066963-3690011349-1779799839-1007 - Limited - Enabled) => C:\Users\pk141 WDAGUtilityAccount (S-1-5-21-413066963-3690011349-1779799839-504 - Limited - Disabled) Lets say for example that you want to make "WDAGUtilityAccount" active, when that is done you then see three accounts listed and still one as "Other User" similar to your screenshot, if you enabled all of the disabled accounts your screen shot would then show the full available list and none listed as "Other User" Does that make sense to you.... To enable "WDAGUtilityAccount" open "Computer Management" open "Users" right click on "WADGUtility" then select "Properties" from the new window remove the checkmark from "Account is disabled" give the account a name, click apply then ok. Next time you boot that new account will be listed, select it, it should have a default password pw123 use that then create a new password, that account has special functions, if you are not fully conversant with Windows do not use it.... WDAGUtilityAccount is a user account that is managed and used by the system for Windows Defender Application Guard scenarios, like I said before, if you are not fully conversant with windows do NOT enable that account... I hope that explanation has helped you understand why your screenshot is not really suspicious...? Do you have any remaining issues or concerns... Thank you, Kevin... Link to post Share on other sites More sharing options...
gothubbed Posted May 2, 2021 Author ID:1454499 Share Posted May 2, 2021 Yes you explained this very well. So windows 10 is the malware. Got it. Like I said I've only been using win 10 just since I got this computer over a year ago feb. Since when did local network and network service get so much control over group policies? Since Win 10 again? The system administrator seems to have a lot of power too over permissions? I know this is gonna sound nuts but this must be a gaslight of all malware because it's gonna do what it has done after everytime I get a clean bill of health and leave a forum,the malware starts taking over the machine again along with all sorts of remote connections and I have no choice but to shut it down for the night and unplug power and ethernet cable. Crazy making. It's next to impossible to catch it to see what it's doing as it's doing it. If this is all just windows 10 then no wonder people were freaking out when it first came out and everyone was worried about privacy and whatnot. I mean it's like you're being monitored of everything which you kinda expect but when it starts changing things. How come many services are greyed out so that I change change it from there. And are more and more services triggered, I am not setting them to trigger. Machine processes and resources get used that I'm not using myself in the operation of the machine. Guess the only thing to do short of wiping everything (which I should probably just do) is take some screen shots of what looks like malware activity as it's happening. It affects my phone too of course. I've reset it numerous times. Thank you for explaining about "other user" and thank you for your help. Like I said I'll gather any evidence of malware I can, in whatever form I can. I just feel like there's more than a windows 10 thing-not with the account as you explained but the other weird stuff that happens. I hope I'm wrong. If I gather more logs or screen shots, I'll come back and start a new thread. I'm starting to implement "tips.. " from top of this forum so I'm sure that will help too. Thank you Link to post Share on other sites More sharing options...
Solution kevinf80 Posted May 2, 2021 Solution ID:1454528 Share Posted May 2, 2021 Hiya gothubbed, I do not believe your system is infected. Windows 10 in my opinion is the best version since Windows XP. You ask about "trigger" start services, using a trigger is basically there to help reserve resources, CPU, memory etc... Only use certain services when required as opposed to on all of the time.. To clean up and make other points understandable do the following: Uninstall the following program (unless you prefer to keepit):Sophos AVhttp://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Also delete this folder if still present: C:\ProgramData\Sophos Next, Right click on FRST here: C:\Users\giant\Desktop\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Condsider the following: Disable Remote Desktop: https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html Disable Windows Telemetry: https://helpdeskgeek.com/windows-10/how-to-disable-windows-10-telemetry/ Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Will also work for Opera and Edge.. PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted May 11, 2021 ID:1456206 Share Posted May 11, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts