Please help remove malicious 'Hidden Network' setup on my system.

[GANI482]

Like the title says, I have a malicious Hidden Network setup on my Windows.  I have been trying everything I could think of, including a fresh windows install, which the malicious network survived.  There were also mystery partitions on my drives that were not from me.  Does anyone out there know how to defeat these hidden networks?  I have been attempting to reset permissions with programs like Windows Repair All-in-One, from tweaking.com.  I receive errors like - 

"ERROR: Writing SD to <machine\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Perflib\CurrentLanguage> failed with: The handle is invalid.
ERROR: Writing SD to <machine\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Perflib\009> failed with: The handle is invalid.
ERROR: Writing SD to <machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\CurrentLanguage> failed with: The handle is invalid.
ERROR: Writing SD to <machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009> failed with: The handle is invalid."

I am hoping someone on here has had direct experience with defeating these sort of malicious hidden networks, and how to prevent them from happening again.  I have tried to get help on other 'malware removal' type forums, but the people I happened to be in touch with there didn't know how to defeat these sort of things either.  I thank you all for reading this, and hope someone out there knows how to fix this.

[kevinf80]

Hello GANI482 and welcome to Malwarebytes,

How do you see the hidden network? A hidden network is not always malicious, it may very well be inert. When I single left click on my Wifi icon I can see several networks that are broadcasting within access of my Network adaptor (Wireless Card). As WiFi networks broadcast their Service Set Identifier (SSID) every 100 milliseconds or so to let other devices know of their presence, to connect you have to know the password, simple as that..

I`ve attached an image of networks broadcasting within reach of my wifi card, you will note one named as "hidden network" That is identified because the hidden attribute has not been turned on by the owner, that network has been given the name "Hidden network" by the owner, it could have been given any name, eg "come fin me" or "try to find me" or like mine "VM809959"

Regarding your partitions, i`ve attached a zip file "Preformat.zip" unzip that to your Desktop so you have a folder named "preformat" inside that folder is a file named "Preformat.vbs" Double click on that file, it will run and create a file named "Preformat.txt" within the folder, attach that to your reply...

Next,

Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. If necessary you may have to do the following to ensure FRST runs: Disable smart screen if it interferes with software we may have to use: https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8 Please remember to enable when we are finished.... Next, Disable any Anti-virus software you have installed if it stops software we may use from working: https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ Please remember to enable AV software when we are finished running scans.... Thank you, Kevin

Preformat.zip

[GANI482]

Hello.  I have attached the requested logs.  I see it in my wifi list yes the same as you linked.  However where I live, I can tell it is from my system because the hidden network, and my network are the only ones with full bars.  I will try to explain further as to why I think this.  In doing some resets I see things like this log below, where it shows my normal network, then below it nameless resets and a denied reset.  I suspect that could be evidence of the hidden network. Also in my logs you will see a second administrator account, and multiple guest ones.  This led me to suspect malicious actors could have possibly accessed my system remotely though a 'log in as' type thing.  Another thing I am not sure is a problem is that under my Windows Exploit Protection, there is multiple entires in the 'allow' category.  I have not made those entires so I am not sure if they are just default windows entires.  I suspected, if this is malicious, it came from a pirate software some 6 months ago.  This was before doing a fresh windows install, and I have not used any questionable software at all since that time.  Or potentially from clicking bad phishing links on a chat program called Discord.  My google password was phished from Discord, but I believe to have changed all passwords and there does not seem to be a problem with that anymore.  But there was a period of time where malicious actors DID have my passwords, and had access to my microsoft account that is tied to this system.

"Resetting Compartment Forwarding, OK!

Resetting Compartment, OK!

Resetting Control Protocol, OK!

Resetting Echo Sequence Request, OK!

Resetting Global, OK!

Resetting Interface, OK!

Resetting Anycast Address, OK!

Resetting Multicast Address, OK!

Resetting Unicast Address, OK!

Resetting Neighbor, OK!

Resetting Path, OK!

Resetting Potential, OK!

Resetting Prefix Policy, OK!

Resetting Proxy Neighbor, OK!

Resetting Route, OK!

Resetting Site Prefix, OK!

Resetting Subinterface, OK!

Resetting Wakeup Pattern, OK!

Resetting Resolve Neighbor, OK!

Resetting , OK!

Resetting , OK!

Resetting , OK!

Resetting , OK!

Resetting , failed.

Access is denied.

 

Resetting , OK!

Resetting , OK!

Resetting , OK!

Resetting , OK!

Resetting , OK!

Resetting , OK!

Resetting , OK!

Restart the computer to complete this action

FRST.txt Addition.txt Preformat.txt

[kevinf80]

Hiya GANI482,

The partitions listed on your system are all legitimate. There is no Hidden network on your system, what you see listed is a network that your system identifies, full bars only mean the signal is strong, nothing sinister... My own system picks up 15 networks, these are from neighbours routers broadcasting their SSID`s signal strength or number of bars is down to proximity, the closer the broadcast the stronger the signal..

Continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied:   Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Please download AdwCleaner by Malwarebytes and save the file to your Desktop. https://downloads.malwarebytes.com/file/adwcleaner Right-click on the program and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is ?updated. Click Scan Now. When finished, please click Clean & Repair. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Copy its content into your next reply. ? Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system.... https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Full Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply... Thank you, Kevin.

fixlist.txt

[GANI482]

I have performed the the tasks, and included the logs.  There were several detections on that Microsoft scan.  Another thing I feel I should mention is, you said it was going to clear my edge cache and such.  I ran the fix then notice all of accounts are still logged in on the browser, the log says nothing edge was cleared for some reason, and there is still massive edge cache visible through ccleaner.  I have included a screenshot of the cache.  Thank you!

msert.log AdwCleaner[C00].txt Fixlog.txt

[kevinf80]

Hiya GANI482,

Thanks for those logs. The entries flagged in the MSERT log only show Windows Defender as being turned off, that is normal as your current resident security will have made those changes...

Your other query can be confusing when different applications contradict each other. When a file is removed from your hard drive it is not really removed, all that happens is the space where the file shows is opened so that space can be reused... Consider your hard drive to be a massive filing cabinet with thousands of very small boxes. When a file is created it is placed in a box and the lid is closed, that keeps the file safe. Each box has an address, sometimes called a pointer, windows uses those to access the files.

When any of those files are removed the box is opened and the pointer removed, that means that box can be reused when a new file is written. In this case FRST has made all identified spaces available to be reused. However, as we now know the space still contains the original file but it can now be overwritten. A different application (CCleaner) just shows the file as present, it does not let you know the space can be overwritten. Does that help..?

How is your PC responding now, any remaining issues or concerns...

Thank you,

Kevin.

[GANI482]

When I originally ran the MSERT, it showed that it had found 4 infections, not just the 1 for windows defenderthat was in the log.  I decided to rerun the program, and sure enough it detected 4 infected files, yet they are somehow hidden when the scan finishes saying it found nothing.  These 2 screenshots were taken 1 minute apart, during the scan, then after the scan.  I would think this should not happen, and that if windows own scanner you provided is showing that there are still 4 infected files, then there has to still be an infection.  How can this be, and how can we make it so there are zero infected files in my Windows?  The scanner contradicts its own log, which also says it found nothing.  Have you ever seen this exact thing happen before, where the log will show nothing, yet the scanner has detected 4 infected files?  

[GANI482]

I am not positive, but I suspect these 4 files it detects, are the 4 files I posted at the very top of this thread.  Which I am unable to access or write over the files.

[kevinf80]

Hiya GANI482,

The scan by MSERT can really cause confusion for the layman, it really is a proper PIA. The scan shows infected files during the scan, yet gives a clean bill of health on completion...

During the scan files or general data are found showing possible malicious signatures, that gives cause for panic during the scan. Near the end of the scan  Microsoft scanners all perform what is known as a MAPS (Microsoft Active Protection Service) request. Samples are uploaded to the the Microsoft cloud servers in order to have their initial findings checked out, confirmation on these findings will confirm either malware, false positives or inactive fragments. If malware is not confirmed then the scan returns a clean bill of health, and rightly so...

Microsoft scanners are really far more complex and deep than most people know or understand, I prefer to use MSERT during final analysis checks than some of the big guns that are available.

Does that help..?

Kevin....

[GANI482]

My latest update is that I did a reinstall repair for windows.  Now I am running a rootkitscan and it is detecting MANY viruses in my old Windows installation.  What do we do now, and how do we know those same files were not installed onto my new installation as well?

[kevinf80]

Lets wait for the log....

[GANI482]

How do I access the log, this is frustrating just trying to find.

[kevinf80]

To get the log from Malwarebytes do the following:   Open Malwarebytes Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply

[GANI482]

sorry that was so confusing for me for some reason.  i think it is some sort of spyware.

log.txt

[kevinf80]

Those files are not malicious per se, they are genuine files related to Microsoft.Net framwork. However, as they are listed in the Windows.old folder and not the normal C:\Windows folder Malwarebytes has flagged them as malicious...

One point i do not understand, why have you made a repair install of Windows 10, i see no reason to do that.

i would list that log you posted to the file detection section of the following forum link, have them checked to see if they are definitely false positives..

https://forums.malwarebytes.com/forum/42-file-detections/

[GANI482]

Well every time I reboot and run sfcscan, it finds corrupted files.  Every time it repairs them, until my next reboot.  Even after the repair reinstall this is still happening so I dont know what to think now.

[kevinf80]

SFC finding corrupt files after a repair install is very strange for sure.. Run the following frst fix and post the produced log..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

[GANI482]

That worked good with no problems.  Its hard to explain, but the pc does seem to be behaving correctly now, other than that first sfc scan i did after the repair which did a repair, this time it did not.  my edge cache clears properly now through the browser.  whether i was really infected or not, i think i have accepted now that things are most likely better.  people on that other forum said those detections were false positives.  i still feel like perhaps those files were doing something to my browser, which is not working better too.

Fixlog.txt

[GANI482]

which is now working better i meant 

[kevinf80]

How do you feel your PC is responding now, any remaining issues or concerns..?

[GANI482]

I reran that last fix just to make sure there was nothing on sfcscan again, and it was fine.  i am thinking the problems are fixed for the most part for now.  thanks for being patient dealing with me.  i do feel safer about my pc now.

[kevinf80]

Hiya GANI482,

Thanks for the update, good to hear your system is ok for you now. Also good to hear you feel safer, that`s why we are here, comeback anytime... Cotinue to finish up:

Right click on FRST here: C:\Users\Satan\Desktop\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Condsider the following: Disable Remote Desktop: https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html Disable Windows Telemetry: https://helpdeskgeek.com/windows-10/how-to-disable-windows-10-telemetry/ Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Will also work for Opera and Edge.. PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[GANI482]

hey real quick, sorry for keeping this one going now.  are these errors i get when trying to reset permissions malicious, and do you have any idea how to fix them?  I just tried to reset again and get same errors.  Figured I may as well check on last time here before going away.

"ERROR: Writing SD to <machine\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Perflib\CurrentLanguage> failed with: The handle is invalid.
ERROR: Writing SD to <machine\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Perflib\009> failed with: The handle is invalid.
ERROR: Writing SD to <machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\CurrentLanguage> failed with: The handle is invalid.
ERROR: Writing SD to <machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009> failed with: The handle is invalid."

[kevinf80]

Those are not malicious, they are genuine errors. What exactly are you doing to create them. Which permissions are you trying reset, what software are you using...?

[GANI482]

i am using Windows Repair All in One from tweaking.com.  I am trying to reset registry permissions but keep getting these errors.