Hidden malware issues

[dizzydi]

Good Afternoon

I have a very persistent stealthy malware on my pc. No virus scanners could find it, but after running files and checking connected ip's through Virus Total i found some related to neshta, some to cobalt strike and njrat plus a few wannacry and mydoom detections (I thought those last two were obselete!). 

I have done several clean reinstalls of windows but it is still there. I'm starting to wonder if its a rootkit or bootkit. It uses RPC, IIS, SMB, HTTP, DCOM, SC and continually modifies the registry. Disables all AV. I think the uuid of the machine has been hooked to a "domain" as it seems to be booting from there when I reinstall despite having pxe turned off in my bios. 

This is the defender notifications I got within a few hours of each other before it stopped detecting anything

Trojan:Powershell/PSAttack.D!MTB (amsi: \Device\HarddiskVolume3\Windows\System32\WindowsPowershell\v1.0\powershell.exe

 

Win32/TamperIPHlpSvcTeredoType.A

(Svchost.exe)

 

Win32/MPTamperSecurityHealthHostInjectionOpen.A 

(svchost.exe)

 

Win32/DNSRegistryChange.A

(svchost.exe)

 

Let me know what you need from me to help me solve this issue. 

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply.

NEXT, step to do.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

[dizzydi]

I have ran the mbst scan and attached the results below, I am about  to run the safety scanner and will update once it completes. Thanks. 

mbst-grab-results.zip

[Maurice Naggar]

Alright. Thanks. 😎

[dizzydi]

Here is the msert.log file. 

msert.log

[Maurice Naggar]

The MS Safety scanner reported no threats found. We will do other procedures.
Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

Malwarebytes can detect and remove most malware with no further actions required for free.

Please download, install, update Malwarebytes
https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773
and post back the log as shown below.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[dizzydi]

Hi Maurice, I downloaded the scanner and started it, taken an hour to get about one third to through. I've had to cancel it for now and will run it again in morning, pc is in same room as daughter and she's wanting to go to sleep (10pm here). 

 

I did a search for powershellv1.0 and see it's still in the system under programfiles\windowspowershell, system32\windowspowershell and winsxs\windowspowershell. Along with many scripts, batch files, pester and chocolatey. If the scan returns as clean can you help me remove these as I don't run scripts on system (had policy set to block them). Another thing I noticed along with psv1.0 in registry is I'm apparently using Windows Enterprise? Yet it's meant to be pro. Is there a forum that's best suited to resolving these issues? Thanks again. 

[Maurice Naggar]

First, I do regret that you cancelled the Malwarebytes scan run. You could simply have left it running as is. Once the run starts, you do not need to be constantly watching. As to powershell, do not go poking & or hunting on your own. Powershell is a normal component of Windows. And your thread here is in the right area. I will guide you along and, we will be checking for all sorts of issues. Just do not make any changes or tweaks on your own, without first checking with me.

This operating system is a PRO edition.  Windows 10 Pro Version 2004 19041.208, which by the way, is very much in need of getting it to the Fall 2022 upgrade, known as 22H2 release.  I will be helping you on this too. The edition-version currently on this box is from Spring 2020.

Stick with me. I am looking for the result from the Malwarebytes scan before we do a number of other things.

[dizzydi]

I did have the system fully updated but had to reinstall from HP media yesterday as was experiencing black screen when turning on pc. 

I do think the virus scans are being changed in some way, I don't know how that could be investigated, however I have the mwb logs for you. 

mwbreport.txt

[Maurice Naggar]

5 hours ago, dizzydi said:

I did have the system fully updated but had to reinstall from HP media yesterday as was experiencing black screen when turning on pc. 

The Malwarebytes report you just provided says the operating system is 

-System Information-
OS: Windows 10 (Build 19041.208)

which is SO so way behind and out of date. You gotta retire and put away the HP media thing.

It so SO important to do what follows. The goal here is to get the Windows operating system to the latest possible release of Windows 10.

These next steps can be referred to as a Windows 10 repair-install in place.
If this machine is a laptop or notebook, be sure it is connected to power thru a regular power cord to regular electric power.
( that is to say, not be on battery power).

1. Back up your personal data and files to an external hard drive, USB thumb drive.
2. Restart Windows.
3. Ensure you are signed in or have administrator rights to do a repair install
4. Unplug all external peripherals except for the Mouse, Keyboard, and LAN cable before starting. { unplug printers, copyers, fax machines, if any)

Download the Microsoft Update Assistant on the Microsoft page  ( click on the blue-color Update now button )
https://www.microsoft.com/en-us/software-download/windows10
or from https://go.microsoft.com/fwlink/?LinkId=691209

After it is completely saved.
Start the tool and select "Upgrade this PC now."

Make sure to select " Keep personal files and apps. "

It will take some time to run & complete. Your computer will restart a few times, Make sure you don’t turn off your PC
If you see a dark screen at times, do not fret.  Just simply move the mouse pointer around the screen or press the space bar to trigger a screen display refresh.
 

[dizzydi]

I ran the update assistant but the pc is still the same version. I got a pop up to restart pc but ignored it and just let it run, it did restart itself. I've added a picture of what appeared on screen. It did also say it would restart 30 minutes after installation so I'm just letting it be for now to see if anything happens. Will update once I have re-checked it in a short while.

 

[dizzydi]

Hi, thats the system updated 

 

[Maurice Naggar]

Hello. Bravo. Thank goodness so great to see the Windows 10 is at OS Build 19045 which is the 22H2 version. Just for the sake of integrity, do this one check. To insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

[  2   Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

[dizzydi]

Maurice, 

There was further updates. When I agreed to restart to finish installing them, the screen has went back to being black again. There was no HP sign when it restarted, just a black screen.  Space bar, mouse, CTL+alt+del doesn't bring anything up. Can see the desktop is running as the lights still flickering away. I've went to get a coffee and break to see if it sorts itself out. Luckily I did do a restore point once upgraded to 22H2, hopefully I can just restore the pc to that point if screen remains blank. Will respond again shortly.

[dizzydi]

No beuno.

I'm reinstalling with that HP recovery media again, will follow steps to update to 22H2 then create recovery media that's up to date. Once I do that will check for updates again, to see if issue persists. I'm not sure why it keeps doing this, I regularly get a completely blank screen or a BSOD. Once I get to that point we can try further steps as long as machine is co-operating. Thank you for your help so far and being patient. I think it will be tomorrow before I post back now. 

[Maurice Naggar]

On 7/16/2023 at 12:21 PM, dizzydi said:

Maurice, 

There was further updates. When I agreed to restart to finish installing them, the screen has went back to being black again. There was no HP sign when it restarted, just a black screen.  Space bar, mouse, CTL+alt+del doesn't bring anything up. Can see the desktop is running as the lights still flickering away. I've went to get a coffee and break to see if it sorts itself out. Luckily I did do a restore point once upgraded to 22H2, hopefully I can just restore the pc to that point if screen remains blank. Will respond again shortly.

IF there is ever again "a blank or black screen" that has absolutely no on-screen characters of any sort......just POWER OFF the machine.

If machine is a notebook or laptop, then press and hold the power button down until you can sense that the power is all off.

Then wait like a minute after the power-off. Then turn the power ON and just wait until Windows loads normally.

What all this sounds like is that the machine was not able to load up into your user-profile 

Di

That sort of event has been known to happen.  The other things is, you need to cease jumping onto & using your OLD recovery media.

Instead you need to make a special USB-thumb-flash drive with the proper Microsoft Windows 10, ......when you have a clean working Windows system and a USB drive.

Separately, have a new USB-flash-thumb drive ( at least 8GB size) and make a bootable USB Windows 10 Media Creation tool . Look on the section OPTION ONE for Media Creation Tool

https://www.tenforums.com/tutorials/2376-create-bootable-usb-flash-drive-install-windows-10-a.html

That special drive may be used to do a special bootup, so that then one can make inquiry & possible fixes

Edited July 17 by Maurice Naggar
corrections applied

[dizzydi]

I did power off by pressing the power button for 5 seconds. Left it a few minutes. Powered on. Received the black screen again. Repeated a few times. Finally got the HP logo and then it went to blank screen. So tried CRL alt del and didn't get anything, sometimes that will bring up the logon screen but nothing happened. At that point I realised the system wasn't going to boot. I don't have access to any other computer so cannot just make clean media at my leisure, I did say once machine is loaded up and working again I will create media with the up to date version. Currently that is impossible. I am doing the best with what I have got. 

 

I would still like help if possible? 

[dizzydi]

Update: I managed to use the HP usb to start windows repair, and used a restore point I had made after system was updated to 22H2. Ran further updates and this time and it went without a hitch. Microsoft defender scan on C:\ returned no issues. 

What next? 

 

 

[Maurice Naggar]

Download & save a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Let's pause and make time and just get a set of fresh reports to see what is running, what is active. Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

•  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
• Press the Scan button.

• It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
• Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
• Close Notepad IF those show up on Notepad.
• Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.

(   2   )

Have a new USB-flash-thumb drive ( at least 8 GB capacity)
Make a USB Media Creation Tool USB device. It will be a potential life-saver in a pinch in future.

Look on the section OPTION ONE for Media Creation Tool

https://www.tenforums.com/tutorials/2376-create-bootable-usb-flash-drive-install-windows-10-a.html

That special drive may be used to do a special bootup, so that then one can make inquiry & possible fixes

Edited July 18 by Maurice Naggar

[dizzydi]

Here are the FRST logs, I will get that new usb created whilst you have a look over the logs. 

Addition.txt FRST.txt

[Maurice Naggar]

Meantime do not add any programs, applications or "stuff". Do be sure to make the Media Creation tool.

Open an elevated Command-prompt window i.e. run Command Prompt as an administrator .

On the Taskbar Search box, type in

cmd.exe

click the line for "run as administrator"

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that Command prompt,  Copy & Paste this command

chkdsk C: /x /r

press Enter-key on keyboard   You will be prompted whether to allow to run after a Reboot/restart
reply YES  and let it proceed.
 

[Maurice Naggar]

Once again, do not add any programs, apps, or "stuff" on your own without checking with me first and getting my reply. There are some issues here, like Microsoft Windows Update being disabled !!  At your next chance do this 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

[dizzydi]

I have made the recovery media.

Chkdsk was "in use by another volume", so I typed Y and restarted the machine to let it run. I don't know where to find the logs for it (if there are any), but it did say repair completed. 

I have also now set MWB to not register with windows security center. 

[dizzydi]

I meant to attach this with previous response 

[Maurice Naggar]

Did you reply Y  to that last question ?  I suspect the run did not actually run.  Do a Windows shutdown >> Restart from the start menu. We need to see that upon next bootup that the CHKDSK does execute.  Also, by the way, advise me, is the Malwarebytes newly installed, a paid-for-license or is it a new trial install ?