Hidden Virus in Event Viewer, possible botnet

[d9d9]

Alright great, I'm going to use diskpart in the install page to delete all partitions, and use the video (tomorrow)

[AdvancedSetup]

Don't need to use Diskpart. The UI from the Windows 11 installer will present all the partitions and you can delete from there.

Depending on how new the computer is or what type of disk controller you have you may need Intel RST drivers to see the drive.

 

[d9d9]

38 minutes ago, AdvancedSetup said:

Don't need to use Diskpart. The UI from the Windows 11 installer will present all the partitions and you can delete from there.

Depending on how new the computer is or what type of disk controller you have you may need Intel RST drivers to see the drive.

 

Yeah my problem was, when doing that through revision OS i had partitions that couldn't be deleted for some reason, so hopefully it goes different using the windows 11 

[d9d9]

 

45 minutes ago, AdvancedSetup said:

Don't need to use Diskpart. The UI from the Windows 11 installer will present all the partitions and you can delete from there.

Depending on how new the computer is or what type of disk controller you have you may need Intel RST drivers to see the drive.

 

Alright, only reason why I may use diskpart is if it doesn't allow me to delete the partitions, when I was using reviOS on a brand new ISO usb stick I was trying to delete all partitions, but some were blocked from being deleted.

[AdvancedSetup]

You have to delete backwards per se

Start on the bottom and remove and work your way up

 

[d9d9]

Im typing on mobile at the moment, one of my SSDs has 23gb of unallocated space, when going in the menu to see drives/drivers I have a random drive called boot under the letter X, that has winSxS and a public user and all these windows folders, I’m not able to delete it tho somehow, and using diskpart it does not show up Not sure if this is a normal thing, but winSxS was one of the folders that was hijacked, also when trying to make the 23gb unallocated space an assigned thing with space, it does not allow it. I do not know where the boot drive is coming from, with the letter X also want to mention when using secure boot it said my keys were modified but i’ve never modified any of the keys on it, maybe some bios options for cpu thats it. if you could get back to me asap it’d be helpful! 

[d9d9]

It says the unallocated 23 gbs is an MBR partition, how do i delete this damn thing? 

[d9d9]

I was able to get rid of all partitions except all drives and such, but it still shows boot (X:) when browsing drivers, if i had never clicked to browse i would not hwve found it. 

[d9d9]

Looks like ive got all drives showing now, but they all have 116mb of unallocated space that cannot be fixed, and boot X remains ill be waiting for ur response to do anything else

[d9d9]

I want to mention its running my Cmd via that boot drive folder, or what not. 

[d9d9]

Ok im probably overthinking it, as ive already done all the steps you said im going to go through with installing windows 11 

[d9d9]

Im gonna be honest I probably have a bootkit of some sort 

[AdvancedSetup]

Okay do the following.

Restart the computer and boot up using the official Microsoft USB boot disk.

Then type the following and show me a screenshot of it

DISKPART

LIST DISK

 

 

 

 

 

 

[d9d9]

14 minutes ago, AdvancedSetup said:

Okay do the following.

Restart the computer and boot up using the official Microsoft USB boot disk.

Then type the following and show me a screenshot of it

DISKPART

LIST DISK

 

 

 

 

 

 

disk 2 is my boot, disk 0 is a ssd i have, disk 1 is a hdd disk 3 is the usb 

[d9d9]

I have windows 11 now tho, if youd like me to send logs no clue if that’ll help 

[d9d9]

I don’t believe im the only one who has had this issue https://answers.microsoft.com/en-us/windows/forum/all/i-have-a-boot-x-virus-and-i-can-not-get-ride-of-it/ff174573-04c4-4a99-908c-229fec69c3a8

[AdvancedSetup]

No I don't want logs as I don't know that you performed the proper CLEAN install

Personally I'd disconnect the power/data cable from all drives and only leave the drive connected that you will install Windows on.

Then do a DISKPART CLEAN ALL on that drive

Then using the USB installer for windows that you have VERIFIED the HASH matches the web install Windows from that.

Please send me the HASH from your ISO image

 

[d9d9]

34 minutes ago, AdvancedSetup said:

No I don't want logs as I don't know that you performed the proper CLEAN install

Personally I'd disconnect the power/data cable from all drives and only leave the drive connected that you will install Windows on.

Then do a DISKPART CLEAN ALL on that drive

Then using the USB installer for windows that you have VERIFIED the HASH matches the web install Windows from that.

Please send me the HASH from your ISO image

 

Hello i made the usb drive with the media installation program thing they use on the website that just installs it on the usb, also I can assure you ive freshly installed completely everything and right now I just had to initialize my disks after deleting all partitions within them, I have a question tho my nvme i used to install windows jas a recovery partition of 674 mb, is this normal? 

[d9d9]

also is this normal for a fresh install

[AdvancedSetup]

Again without knowing the HASH then you truly do not know 100% for certain the image was not modified or man-in-the-middle attack in place

For sake of argument we'll pretend that the image you're using is 100% good and valid.

Please get me a new set of logs for the computer.

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

[d9d9]

here are the logs

mbst-grab-results.zip

[AdvancedSetup]

Okay, give me some time to review, please.

 

Some SIDs do not resolve into friendly names
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names

Security identifiers
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers

User Rights Assignment
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment

 

 

[AdvancedSetup]

What is this? This is not a default or normal install. I have installed Windows hundreds of times and never one were these changed

Default browser: "C:\Scripts\ie_to_edge_stub.exe" %1

 

Again, if you want my help please install a DEFAULT Windows 11 installation and DO NOT modify it. Then post back new logs.

I don't have time to debug systems that have 3rd party software installed and claiming they have some recurring malware or rootkit threat.

 

 

[AdvancedSetup]

We're trying to verify and validate that the computer is safe. Installing 3rd party software makes that very difficult to do

 

Audacity 3.3.3 (HKLM\...\Audacity_is1) (Version: 3.3.3 - Audacity Team)
Brave (HKU\S-1-5-21-455846974-2832669371-2726853983-1001\...\BraveSoftware Brave-Browser) (Version: 117.1.58.127 - Brave Software Inc)
CPUID CPU-Z 2.07 (HKLM\...\CPUID CPU-Z_is1) (Version: 2.07 - CPUID, Inc.)
Discord (HKU\S-1-5-21-455846974-2832669371-2726853983-1001\...\Discord) (Version: 1.0.9017 - Discord Inc.)
Epic Games Launcher (HKLM-x32\...\{37D87A98-763A-44A7-AD9E-8D661616A2C4}) (Version: 1.3.78.0 - Epic Games, Inc.)
Epic Online Services (HKLM-x32\...\{35905844-0610-427D-86A0-2103FABE3D4D}) (Version: 2.0.42.0 - Epic Games, Inc.)
Malwarebytes version 4.6.2.281 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.6.2.281 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-455846974-2832669371-2726853983-1001\...\OneDriveSetup.exe) (Version: 23.180.0828.0001 - Microsoft Corporation)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TechPowerUp GPU-Z (HKLM-x32\...\{8B0F211E-5846-4FB2-B0B9-4EB31546FDF9}}_is1) (Version: 2.54.0 - TechPowerUp)
Ubisoft Connect (HKLM-x32\...\Uplay) (Version: 145.1.10933 - Ubisoft)
VLC media player (HKLM\...\{B022B1C5-D067-42CB-98E2-D965E4D74CFE}) (Version: 3.0.18.0 - VideoLAN)
WinRAR 6.23 (64-bit) (HKLM\...\WinRAR archiver) (Version: 6.23.0 - win.rar GmbH)

 

[AdvancedSetup]

We can do some scans and "assume" all is okay if you like though. But this will be some quick checks and if you continue to have or see issues then as I said you need to install a clean, default Windows installation without any 3rd party software.

If you'd like to do that please let me know.

Thanks