Been having issues for years

[BrockLeeVegetable]

I have been having issues for years. strange connections to my PC, strange behavior, it all survived OS wipes, and would appear even on Live Linux Distros. I have, at one point lost months/year into freaking out over this, but the past 3-5 years or so, I just ignore it... I just couldn't handle it anymore. The thing that brought my attention back to this issues was I was on DSLreports website, testing my network speed and bufferbloat, and it wouldn't run the test on any browser and it stated that there were "alien scripts" running on my PC. I've scanned it with everything under the sun with no results. However, when I use a different connection, like my cellphone hotspot, the message about alien scripts disappears. I've also tried multiple computers/Cellphones connected to my home router and they all say "alien scripts detected." So, I believe this malware has taken over my router as well. I've tried everything, except asking you guys for help. So, I'm hopeful. 

Addition.txt FRST.txt

[BrockLeeVegetable]

Also, in my original post I had much more detail, but it kept getting flagged as spam??? Very annoying when I'm trying to convey all the information I need to.

 

[1PW]

Hello @BrockLeeVegetable and :

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I'm infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Unfortunately, the version used above for FRST64.exe is superseded by today's release. Please correct.

Thank you.

[AdvancedSetup]

Hello  and        @BrockLeeVegetable

 

My screen name is AdvancedSetup and I will assist you with your system issues.

We get hundreds of spam posts so we have to use software that attempts to monitor that. I have removed some of the blocking for your account.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Please follow all steps in the provided order and post back all requested logs
• Please attach all log files to your post, unless otherwise requested
• Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
• Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
• Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
• Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
• Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
• Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
• If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

To begin, let me say that IF half of what you said were true then you'd need to throw away your router and all computer equipment and start fresh again. Now, that obviously isn't the issue or the fix.
I've been doing this type of work now for decades and I've not personally seen anyone with the type of infection they think they have because they've read something scary on the Internet.

There are some scary infections possible but most are in labs or directed at people or business that are State level targets of high value. A home user on a $2K dollar computer is not worth their time.

With that out of the way, let's look at a few items shown in your logs.

• You say its been going on a long time and you've done everything you can think of. The logs show you're sharing with other computers in the home. That right there is not something you should be doing. A computer having an issue should be isolated from others as best as possible.
• The last installation, or major upgrade looks to be 4 months ago.  2022-05-24 - no CLEAN installation of Windows appears to have been done for at least 4 months.
• You have multiple games, programs, etc. installed. Again, a computer having issues anything like you claim should have no 3rd party software installed until you've found or corrected the issues.
• The classes for executable files has been modified. Again, the computer should remain as much as possible in STOCK settings and values until the issue is resolved.
• It looks like you probably installed a desktop tool from Virus Total but that tool keeps faulting. Generally speaking a tool like that is for users that daily interact and check files. Most home users have no real need for  the tool
• It looks like you have either enabled Hyper-V or have been playing with it. Nothing wrong with that as it is a fantastic hypervisor, but again, with an infected system one should not be added complexity to the system
• You have browser desktop notifications enabled. This can have risks and you might want to consider not using them or if you do, make sure you're aware of the risks.
• https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/  Turn notifications on or off - Google Chrome  Web Push notifications in Firefox

 

The logs do show signs of current infection. I will write a clean up script for you here shortly.

Thanks

 

 

[AdvancedSetup]

Please run the following fix below.

Once the fix has been completed, please attach the file FIXLOG.TXT on your next reply @BrockLeeVegetable

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[BrockLeeVegetable]

Hi,

 

Thanks for the reply. As I said (or maybe didn't say because it kept flagging my post for spam for some reason) I kinda just gave up on figuring out the malware issue, and for my sanity and the enjoyment of owning a very fast gaming machine, I resumed my normally computer behaviors . I mean, I couldn't do anything about it.

Before we move forward, I just wanted to discuss a few things;

I totally get what you are saying about my computer not being worth the time and effort, because I don't understand it either. It baffles me that you didn't find anything on my computer because why would I be getting the alien script message from dslreports? I know that's a small detail, but it wont even spool up the test because of it. and the behavior where it only on my home router and not my 4g hotspot. Super suspect... Also, I have not attempted to log into this account since I posted this original message and it was locked out on my first attempt. Just today there was exemptions placed in my windows defender that I never put. For the first time ever, it told me that it skipped files due to new exemptions. Also, my cellphone's internal IP address was just coming up as 10.10.10.41 connected to default gateway 10.10.10.254. This is not my local addressing scheme, and although possible with a 10.0.0.1/8 network id my router default comes with, its not a subnet or ip I set up. Scanning the "gateway" reveals some weird ass ports opened and just extremely strange behavior. Another thing was trying to install some official drivers for a steering wheel I just bought and when I went to install them, I clicked more info and it was installing from an non existent folder on a drive I never use, not from the downloads folder where the file actually was. it was like "f:\859fjdfud8495834jfd\" or something. I know these things are small, and pale in comparison to much of instances what have happened in the past with my devices, but just strange things that happen in the last 24 hours. Oh, and I never set this PC up for sharing, it should be turned off. All of the things you mentioned that are no-nos' with my PC other than hyper V, I for sure did not allow. I especially do not have any notifications from the web, I hate those with a burning passion and disallow every time. The thing about the updates? I update my computer every day. it says they are complete and I reboot my computer. I havent whippe my computer in a while because i gave up on that as well because it would just reinfect instantly. I would even disconnect it from the internet and keep it that way for a while and it'd still be doin weird stuff. Of course no external hardware or devices (besides the installation, but that would have been easily compromised as well.) I try to think of every way it could get reinfected and avoid it, but its very difficult to do when the malware could be on literally anything and everything associated with computing. I have even heard of malware using speakers to broadcast a signal to other PCs, but that's way too far down the rabbit hole for today. Speaking of rabbit holes, I swear the more I investigate, the harder the malware pushes back. I swear I am totally sane, and have a very productive and functional life. This crap definitely makes me feel like I'm losing it at times, because it is just so inexplicable and I cant understand who, what, when, where, and why?

 

Lastly, I have hyper v because I am in college studying for my computer science degree and one of my classes is on hyper v and virtual machines. So, I am pretty adept in computers as a whole. I know enough to know this behavior is highly suspect, but I'm not specialized in anything yet, especially malware or programming and the like. Whatever this is is extremely good at hiding itself.

 

I totally understand your hesitation in believing me, as most people scare themselves into thinking all sorts of crazy things. But I am very calm, logical, and thinking critically.

 

PS- sorry if this was kinda messy grammer/structure-wise. I broke my hand an its very laborious and difficult to type because I'm used to typing a million words a minute and now I have to hunt and peck with one hand. Very frustrating and painful, I might add. haha!

[BrockLeeVegetable]

I know I'm not following your instructions exactly right now, and I apologize, but hear me out real quick.

 

Here's a small example, notice how these "local" addresses are being routed through my public IP, some of them with many hops in between. How can I be communicating with local subnets from a completely different local subnet, to public remote computers? This is a mild example, some of the other IPs I've investigated were even more hops/more convoluted. Also, notice how the traceroutes lines are dashed meaning there are more hops, just couldn't get any info on them, they are hiding. 

 

There are three quick screen shots, excuse the horrid red paint program writing, I am very busy and didn't have time to make it look nice. Anyways, two just show a few random tractroutes to "local" IPs and the other is a ARIN whois lookup on one of the ipv6 addresses just showing its a local designated IP in ipv6.

 

Does this not seem very strange? Or am I misinterpreting these?

[AdvancedSetup]

I'm sorry, but please either follow my instructions or please look for assistance from another resource.

The computer shows signs of an infection. We don't provide forensic support of how or where it came from. We help with Removal and Prevention

Thank you

 

[BrockLeeVegetable]

Oh, I am so sorry, I misread your original reply. I thought you said, at the end, that it doesn't seem like I have an infection. My bad, I was trying to convince you otherwise, but that wasn't needed. sorry. I will do what you asked.

[BrockLeeVegetable]

Alright,

so I tried your script, but my pc instantly bluescreened, which is seems to do every time i am getting somewhere, or finda breadcrum.

 

The reason was something about a Service fault and I'm sorry I only saw it for a second. I didn't get the file name but it looked like a kernel file, started with a B

[AdvancedSetup]

Please get me a new Farbar log.

Run Farbar with admin rights, then click on Scan and attach back both new logs

 

FRST.TXT
ADDITION.TXT
 

Thanks @BrockLeeVegetable

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks