Computer troubles, possibly hacked

[PurplePhenom]

Something funky with my computer. It's less than a year old, my phone and firestick are faster. I just picked up another motherboard (Asus ROG z790 Gaming Wifie-E) the other day, and reinstalled windows. I went with Windows 10x64 pro, because 11 is just gross. I'm running the Z790 board with an I9-13900ks with direct die, it sits at ambient, and won't spike more than 10-15 C under load, so I know it's not thermals causing issues. I also am not currently playing any games, or doing anything really graphic intensive. Even still with a 4090, it wouldn't be anything it couldn't handle. I'm not running out of ram either, as I have a 64gb kit. I really don't know why my computer is running so slow. I've ran MBAM, MSERT, and Defender, the only thing that showed was in MSERT which while scanning said 9 infected files, then afterwards said there was nothing to clean. On another note, I tried installing Bitdefender, and Firefox, and was met with a continueous 0% then an error that it couldn't download the needed files. Pretty much anything that uses Microsoft servers to login, or get files is extremely slow, and takes forever to login or populate, save for the Microsfot website and children sites. Strangely, I was also getting errors with smart screen not working whenever I tried running an .exe.  I do have a lot of entries trying to log in to my Microsoft account regularly, which originate from just about every country from here in the States to Slovenia. Please, I need help. thank you for your time, hope to hear from you soon. 

[AdvancedSetup]

Hello  and      @PurplePhenom

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
• Please follow all steps in the provided order and post back all requested logs.
• Please attach all log files to your post, unless otherwise requested.
• Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
• Before we start, please make sure that you have an external backup of all private data.
• Do not run online games while your case is ongoing. Do not do any free-wheeling of risky web-surfing.
• Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you unless requested.
• Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. 
  If there are any on the system you should uninstall them before we proceed.  
• If your system is running Discord, or P2P Torrent software, please be sure to Exit out of it while this case is on-going.

Do these two steps so that ALL Folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.

Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/
 

• Next, please restart Windows

• Please be patient and stick with me until I give you the "all clear" or otherwise indicate all is good

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system security.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

 

[PurplePhenom]

I've got to run a few errands this morning, but I should be able to get that done within the next few hours. I'll post as soon as logs are available. Thank you for your quick response.

[PurplePhenom]

Thank you for your patience with me, I had a lot to do yesterday, and ended up crashing when I got home. Anyhow I'm up now, and will restart my computer then run the logs collection.

 

[PurplePhenom]

The logs as requested.

mbst-grab-results.zip

[PurplePhenom]

mbst-check-results.txt

mb-support-log.txt mbst-stub-results.txt Addition_19-10-2023 12.00.51.txt FRST_19-10-2023 12.00.51.txt Addition.txt FRST.txt

[AdvancedSetup]

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[PurplePhenom]

Scanning now, thank you. That -dontencrypt addendum is pretty sweet, I had no idea that was possible. 

 

[PurplePhenom]

report_2023.10.19_16.30.17.txt

[AdvancedSetup]

No detection found. Let's try another scanner @PurplePhenom

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get started. 
• When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
• On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
• When prompted for scan type, Click on the Full Scan button
• Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
• Have patience.  The entire process may take a few hours or more.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log and give it a name and location you remember.
• If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
• Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

[PurplePhenom]

This is what's been happening when I try to install anything that needs to fetch, or download files from their servers to install.

 

[AdvancedSetup]

It looks like you were able to get from Kaspersky.

Please try power cycling your Router / Modem and see if that helps.

Then try the Microsoft Scanner

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

[PurplePhenom]

msert.log

[PurplePhenom]

I'm not sure if the entries in this are normal but it's odd.PASSWD.LOG                                                                                                                                                                                                                                                                                                                                                                                            This one is strange too, considering this is a home PC.

NetSetup.LOG

[AdvancedSetup]

That is all normal and how Windows operates.

 

Is the computer still slow?

Do you have all the right devices plugged into the right ports for which PCIe lane is used or shared, etc?

 

[PurplePhenom]

Yeah the computer is still slow, as far as PCIe ports go I only have my GPU occupying the top slot.

[AdvancedSetup]

I would try a CLEAN install following the process below. Though I do not share the same feelings about using a Microsoft account. I prefer a local account.

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

 

If you're still having an issue after that then it has to be related to hardware or BIOS / UEFI somehow

 

 

[PurplePhenom]

Ok, I was starting to wonder if that would be best, this is a brand new MB, would it be safe to say it's likely not the board, leaving RAM, GPU, or Processor?

I'm happy to reinstall windows, but is there a way to do a day 1 install without migrating anything, or any settings, I have noticed on windows 11 for instance the option to resume desktops after fresh installs.

Thank you for your help, and going over the logs. I can't imagine how tedious that must be... I'm getting sleepy just thinking about it. 

[AdvancedSetup]

As you already installed using a method that proved not to be working for you then I would not look to try to side step the process

It really only takes about 15 minutes to do a clean install of Windows.

Backup only personal private data you created to an external USB drive.

1. Format an 8Gb or larger USB thumb drive
2. Using the official Microsoft ISO or Installation tool to make the bootable USB thumb drive (verify the hash of all files downloaded)
3. Boot the computer to the USB thumb drive
4. Either using the GUI and Advanced settings - delete ALL partitions or using SHIFT-F10 from the boot up process and use DISKPART to perform a Clean command on the drive to remove all
5. Complete the Windows install. Get all Windows Updates - DO NOT install any 3rd party software. Come back here  once Windows and only Windows is installed and we'll help you from there.

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11

 

 

 

[PurplePhenom]

This is has become rather troublesome to obtain. I'm having issues trying to even download the ISO. When I click the download button I am given this message,(Refer to message code 715-123130 and 65e339cb-65a6-4c84-9f91-1c665702430f). I'm not currently connected to any VPN's either. I can download the creation tool, however the cert for the creation tool has a valid date from 9-02-22 end 9-01-22 .

 

 

[PurplePhenom]

After some research into the cert validity of this download I realized that it's not based on the begin and end dat per se, but rather in Microsoft's case whether the dates were vailid at the time of sighning. Now that this has been clerified, I'll move forward with media creation, and I'll update you further. Additionally, I  have successfully downloaded and installed Chrome, and will attempt to download the ISO using that browser, as I as of yet have been unsuccessful in downloading using Edge. Thank you for your time. 

[AdvancedSetup]

Are you trying to install Windows 10 or 11 ?

 

[PurplePhenom]

I am actually, though I have also been speaking with some of the fine folks at Virustotal. I thought I had rid myself of this a long time ago, but recently the computer had become almost unusable, which is why I ended up posting here for some help thinking it was something new. Since trying to find answers for my problem downloading the ISO I found some other users with very similar problems. I now have a better albeit rudemmentary grasp of the problem, and believe the issue has to do with it being used as a DOMAIN. Someone had commented on a node attached to the .exe I uploaded, and stated that my SSD was empty. So what I thought was my desktop, was in fact a remotely accessed virtual copy. Now, there is some good news in that I do believe I have rid myself of this controller. However I'm finding it difficult to get anywhere when dealing with domain issues that are lingering because it's completely foreign to me.  This is the graph that's been mapped out thus far https://www.virustotal.com/graph/embed/g5f411537be864a3fad6e9c3ed640bb86102506ec48f54f6cbf9c034814f63d27?theme=dark if you're curious at all.

Edited October 25, 2023 by PurplePhenom
Missing link simplification and removal of redundant text.

[PurplePhenom]

One other little tidbit, while in my search for answers to my current issue, I of course found other folks with very similar issues. The interesting part however, is that a large majority of the posts I came across, did also find the IP's where the attacks either originated from, or the files dropped from, were linked to, or outright owned by MICROSOFT. Of course that isn't the case for all of them, however MICROSOFT's response in dealing with these concerns has been everything from completely ignoring them to a few bread crumbs to full removal. So, whatever is going on, I think it's safe to say, they are aware.