I am infected by rootkit

[DarkLord7736]

I was infected by zero day deeply integrated  into system rootkit , that my current av (bitdefender) detected with behaviour detection , and removed it . For safety I clean install the windows . Everything went fine ,even full scan and rescue scan scan by Bitdefender went fine .Now , I am unable to install malwarebytes now , also malwares extension isn't working . Also I once found many suspected traffic from my device , again this time I formatted hard disk  and then clean install windows . Still I find that many system files are getting corrupted now for no reason . Please check my system for any malware ,adware ,spyware , keylogger, viruses ,etc and check for especially rootkits (uefi , kernal , bootkit , mbr , virtualization ,ring 0 , ring 1 ,ring 3 , firmware ,etc) .Fabar recovery reports are in the attachment of this post.     Thanks

FRST.txt Addition.txt Shortcut.txt

[AdvancedSetup]

Hello @DarkLord7736

It looks like you "may" have a corrupted user profile.

Error: (09/09/2021 05:45:30 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
 DETAIL - The process cannot access the file because it is being used by another process.

Error: (09/09/2021 05:45:30 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\panka\AppData\Local\Microsoft\Windows\\UsrClass.dat

 

Please try creating a NEW user profile with Admin rights and see if that helps correct issues for you and let me know.

 

[DarkLord7736]

@AdvancedSetup I recreated the admin profile till the same issue occurs . But I want to ask that only admin account is corrupted or standard too , as I created admin account but the issue doesn't solves

[AdvancedSetup]

We can do some scans. Please disable any current real-time antivirus and run the following scans.

 

STEP 1

Follow the instructions here

 

STEP 2

Let me have you run a different scanner to double-check.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

STEP 3

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If an infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

 

STEP 4

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

That will give quite a few well-known and trusted scanners the opportunity to scan the system for any issues.

 

Thanks

 

[DarkLord7736]

@@AdvancedSetup

 

 

Eset online scanner.txt Kaspersky TDSS.txt Malwarebytes anti rootkit mbar-log-2021-09-10 (01-57-35).txt Malwarebytes anti rootkit system-log.txt Malwarebytes.txt Microosft Safety Scanner.log scanners.zip

[DarkLord7736]

@AdvancedSetup

scanners.zip

 

[AdvancedSetup]

Yep, looks good. Nothing was found from any of them.

Please restart the computer one more time and run the following @DarkLord7736

 

 

Download Hollows Hunter to your computer
https://github.com/hasherezade/hollows_hunter/releases/download/v0.3.1/hollows_hunter64.zip

Make a new Folder on your hard drive called:  C:\Hollows
Move the downloaded file  to the new folder c:\Hollows
Extract the file out of the zip to the new folder (let me know if you need further instructions on unzipping)

Then right-click over hollows_hunter64 and select "Run as administrator"

Once the program has completed please zip up the new folder it creates and attach to your next reply.

 

Thanks

[DarkLord7736]

@AdvancedSetup

 

 

HitmanPro_20210910_0928.log hollows_hunter64 (1).zip

[DarkLord7736]

@AdvancedSetup

Sorry , I had posted wrong zip file . Here is the correct file

 

hollows_hunter64 (1).zip HitmanPro_20210910_0928.log

[AdvancedSetup]

It scanned your Bitdefender process as potentially suspicious but all looks good. It's simply doing its job.

If the computer is not operational properly my guess would be that something has damaged the Registry. The best way to truly correct, recover from this is to backup all your personal data and do a fresh, clean install of Windows.

 

Backup Software
https://forums.malwarebytes.org/index.php?/topic/136226-backup-software

Do I need a Windows Registry Cleaner?
https://forums.malwarebytes.org/index.php?showtopic=126481

 

 

 

Greg Carmack has an excellent well documented article on performing a clean install of Windows 10. I don't personally agree with him or Microsoft about using an Online account but that's a personal choice. I don't share or sync anything on purpose. I prefer safety over convience

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

Let me know if there is anything else I can assist  you with

Thank you @DarkLord7736

 

Edited September 10, 2021 by AdvancedSetup
updated information

[DarkLord7736]

@AdvancedSetup

Thanks for the help .Personally I like microsoft account as it I susbcribed to 365 plan and gave 500 GB online storage in onedrive . Also I never used any registry cleaner , Clean install after care ( installing apps ,tweaking windows according to preferences and signing in to many accounts ) takes a lot of time so can I reinstall of windows using media creation tool without removing any data ? Thus it will solve the issues with registry ?

[AdvancedSetup]

No, I would not suggest that. The REGISTRY is the heart of Windows. Without a CLEAN install you're simply bringing trash into the new home so to speak.
 

I'm subscribed to Office 365 as well. It has absolutely nothing to do with having an "Online Account' for logging into your computer on your local computer. Again, personal choice but I prefer security, safety, privacy over convenience which is what they're trying to espouse 

 

[DarkLord7736]

@AdvancedSetup

Thanks for it , I'll definitely do a clean install  

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you