Jump to content

Rootkit after total reformat from hidden drive, contaminated recovery

regardingjoy
 Share
Go to solution Solved by JSntgRvr,

Recommended Posts

regardingjoy

regardingjoy

Posted
Posted

First, I started getting access denied when I would try to open programs. Avast was disabled. Along with any antivirus I tried, Windows Defender was disabled immediately. Installed Malwarebytes and it was disabled, installed it again later from safe mode and it scanned for 3 seconds and found nothing. DrWebCureIt says it could find no Windows on my pc. Recovery options kept failing until the recovery partition disappeared. Formatted laptop multiple times, formatted main partition and later all partitions. X: drive seems to be a hidden drive that hides and saves/imports settings/rootkit. Even when all partitions are deleted. Tried to flash bios but it did nothing. More and more permissions are taken away. My usbs keep not being recognized.My mouse disabled. I’m pulling my hair out.
The standard way of changing permissions fails with access denied. Takeown and icalcs does nothing. Norascan program found rootkit behavior in nested folders/junctions? (Documents and Settings, Application Data folder has what looks like 100 nested folders, I can’t find the end of it. All user folders and most folders have hidden files inside. System32 have some as well. Anything I remove returns on reboot.
 

Emsisoft Emergency Kit found some things before reformat, then whatever this is disabled it. Network access keeps being taken away. Run button is gone. Sfc /scannow does nothing,Windows updates fail. Just wiped drive and installed windows again, and services are greyed out where I cannot disable any of them. Before I could log off the drive was hidden. I was able to give it a new drive letter and unhide it because of hirens boot disk, then I shut it off because this is beyond my skills. At this point it’s really hard to do anything,or even connect to the internet. I saw a post on Microsoft by googling about a similar virus or rootkit. It hides files in the recovery partition somehow, and in other partitions. But, somehow even after a complete 3 wipe format of each partition this thing comes back. 
Additional info: the first thing I noticed was windows defender was disabled, and I was unable to change that. Avast was disabled, Malware Bytes was altered or disabled from scanning. Norascan found suspicious 64Packed PEcodes in Windows Defender both in scans and definition updates, system32 agentactivationruntimestarter.exe, system32 searchindexercore.dll, system32 tpmtool.exe, multiple 64Packed PE codes in App Data\Local\Application Data\Application Data (this is the nested folder that goes on and one).

 

System Volume Information, Documents and Settings, Program Data, Recovery and Recycle bin all are hidden which is normal except, with tracking.log or desktop.ini files with commands in them.  I am looking at photos I took of these scans with my phone to provide these details. Another program found Rogue.Win32.FakeOpt (A), PUP Gen:Variant.Application.NirSoft.249982 (B), Gen:Variant.MSILHeracles.75067 (B) and Gen:Variant.MSILHercules.52824 (B). Microsoft Safety Scanner found 49 files infected but upon the program finished it reset and said nothing was found at the very end. Another thing flagged was dns hijackers in Windows\winsxs\folder, dnsapi.dll as flagged as a dns hijacker, the gen variant was found in both the roaming folder, WinPatrol found new or changed start up program with CMD /C del C:\Windows\TEMP\ST_CPL.pkg.XML /F along with C:\Windows\Temp\MUBTemp\BCILauncher.EXE, Access Denied and permissions keep being removed, This debugger file is called every time [CompatTelRunner.exe] is executed: C:\Windows\Sysnative\taskkill.exe.

 

I am at a loss, if anyone can solve this, I would be so thankful. 
 

Windows 11 Home Asus Laptop

 

Link to post
Share on other sites
  • Replies 251
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

JSntgRvr
JSntgRvr

You cannot download third party programs, but until Windows is completely stable. Just Windows Updates and Asus Drivers. You do not need tweaking programs or Security programs at all. These are not ne

JSntgRvr
JSntgRvr

Chances are the partitions are not being recognized. Do you have an Installation Media for Windows 11? If you don't have the Installation Media Create one. Download Windows 11 (microsoft.com

regardingjoy
regardingjoy

Yes, thank you again. Looks like my mother bought the wrong one. Appreciated.

Posted Images

regardingjoy

regardingjoy

Posted
  • Author
Posted

It should. I deleted all partitions for the 3rd time last night. Reinstalled Windows again. I checked services just to see if I was still infected, although I knew I would be. Saw some services greyed out when I should be able to disable them and immediately booted to a usb drive. Then I found the virus/ rootkit or person then hid the drive and it looked like it was deleted. After running Partition Programs I was able to give the drive a drive letter using a usb boot disk (Hirens).Then I turned the laptop off and I have not tried to boot it since. I came to make this post and wait before it did anything else. 

Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted

Chances are the partitions are not being recognized.

Do you have an Installation Media for Windows 11? If you don't have the Installation Media Create one.

Download Windows 11 (microsoft.com)

If you wish you can use the Hiren's CD to Wipe Clean the drive and convert it to GPT.

Open a Command Prompt and type the following:

Diskpart

Select Disk 0 (That is Disk zero)

Clean

Convert GPT

Exit

Restart to the Installation Media for Windows 11 and install Windows.

  • Like 1
Link to post
Share on other sites
regardingjoy

regardingjoy

Posted
  • Author
Posted

Following instructions. Windows installed.This will make 3rd time I have wiped all partitions completely. I have 256 gb on this laptop but only 116 gb are showing as available. This is a Asus E510 laptop. Why would 100+ gb be missing? Anyway, it’s installed and checking services it’s the same old song. Many Windows Updates failing. Services greyed out where at cannot change startup type, or when I try to disable a service I get “The parameter is incorrect”. 

 

IMG_0844.jpeg

IMG_0845.jpeg

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

That "drive" is a soldered-on Kingston eMMC drive. If it is failing you can toss that laptop unless it is still under warranty and can be replaced.

 

Please do another CLEAN install using the following instructions.

NOTE:

You must remove ALL partitions of the drive you're going to install Windows on
 

If you do not follow the directions as provided then that may be cause for issues.

DO NOT use any activation tools or programs. Windows will work just fine without activation except being able to customize the desktop, but there are workarounds for that if wanted.
DO NOT install any other software. Get Windows installed. Then come back here and let us know.

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11

 

Link to post
Share on other sites
regardingjoy

regardingjoy

Posted
  • Author
Posted

I did follow his instructions completely. I did a complete wipe off all partitions before doing a clean install. I did bypass an online account by hitting shift and F10 and entering OOBE\BYPASSNRO. Would a failing hard drive disable the internet, Windows Defender, Windows Firewall and Windows Update? I did an offline scan with Windows Defender, it found things and then bam, the menu was removed immediately after that pop up. I could not see the results or settings any longer. This is also when the internet was disabled. Then the run button was gone, and search and settings no longer opened. Then my mouse was removed. I restarted to retry Windows Updates.I did not sign into any Microsoft account. This is when it booted to the bios menu. I booted again from Hirens boot disk, where it showed the drive was hidden and drive letter removed. I came here to post, the repeat bios menu showing again no boot methods. Just so it’s clear what happened in case I did not word it as well as I could have. Thank you both for your replies so far. 

Flash forward to now:

Installed Windows, bypassed online requirement. Shut down computer for the evening, awaiting further instructions. 
 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
4 minutes ago, regardingjoy said:

nstalled Windows, bypassed online requirement. Shut down computer for the evening, awaiting further instructions. 

Forget updates for now get online or use a flash drive for the following tool and post back the logs.

Click the following link and run a  Scan with Farbar Recovery Scan Tool 

 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted (edited)

Your drive is 128 gig, not 256.

A 128 gig drive formats to what your computer shows.

Quote

Drive c: () (Fixed) (Total:115.87 GB) (Free:96.64 GB) (Model: Kingston X29128) NTFS

You used an OLD Win 11 download.  Microsoft Windows 11 Home Version 21H2. It will not update with Windows update since it is so old.

The current is 23H2. You did not create a current USB.

 

 

Edited by Porthos
Link to post
Share on other sites
regardingjoy

regardingjoy

Posted
  • Author
Posted

Nothing shows as not working in Device Manager. 
I used a bootable Win 11 usb. It is a 256. But for some reason part of it is now hidden. I bought it with 256 just months ago. 
What specifically should I click in Device Manager?
Everything I did check says I have the latest drivers.

Is NOEXECUTE=OPTIN the way a normal start up is supposed to be?

 

IMG_0857.jpeg

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.