[ RESOLVED ] Suspected botnet malware still persists after complete zeroing of the disk.

[hawkactual]

Hello,

For the past 2 years i have been trying to get rid of an especially persistent threat.It all started when i downloaded and installed a cracked program from a "reputable" source ,supposedly safe.It was installed on my laptop that i bought back in 2019 and the malware infected the 1tb disk i had installed in it at the time.I attempted multiple times to get rid of it with every possible solution i could find,even using AV's and other programs that were recommended here,but to no avail since they do not detect anything.Reinstalling Windows from bootable usb ,using diskpart with clean all command or even booting on gparted and completely zeroing the disk didn't help at all, the new installs were infected within minutes.Im not extracting any files that were previously saved on the infected Windows install since im not saving any important files on my computer and i only reinstall legitimate software.Surprisingly it seems to be limited to the 1tb disk that i mentioned previously because i swapped the ssd of the laptop to the stock 250gb one it had before and no symptoms were seen for 6 months.A few days ago i built a pc and used that specific 1tb drive and within 2 days the malware started exhibiting symptoms.The usb that i used and the windows iso were created and formated on a healthy linux pc.I also updated the drives firmware but it help at all.

The malware seems to be triggered at random and multiple times each week.If im browsing the internet when it starts my browser frantically refreshes itself multiple times a second and it triggers Googles "Suspicious traffic detected" warning with the captcha. If during that time i open a random CMD window or a literal plain text file ,hundreds of these windows will start opening by themselves slowing down the computer without me being able to close them or do anything about it until it ends.Also several coworkers have brought to my attention that emails that i send from that pc will always send duplicates ,numbered in the thousands.

I haven't lost any accounts this whole time, but that doesn't mean that i don't want to get rid of it, if it turns out to be directly related to the SSD then ill have to change it,but right now Im trying to save it from being paperweight.It probably sounds ridiculous on how i describe the whole situation but that's literally any available info i can give.

Any advice would be appreciated

[1PW]

Hello @hawkactual and

 

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:  Please pay close attention the the instructions in all of the following links.

• If you have not done so already - Enable System Protection and create a NEW System Restore Point
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

Please run the following scans:  Please pay close attention the the instructions in all of the following links.

1. Click the following link and run a  Scan with AdwCleaner
2. Click the following link and run a  Scan with Malwarebytes 
      RESTART the computer
3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
    

Example image of where to click to attach files when posting your reply

 

Thank you

 

Edited August 14 by AdvancedSetup
Corrected font issue

[hawkactual]

Hello

i apologize for the late reply but i was not close to my pc at the time

i did everything exactly as you asked and as directed from the guides you linked

Addition.txt AdwCleaner[C00].txt AdwCleaner[S00].txt FRST.txt Malwarebytes Scan Report 2024-08-14 161420.txt

[AdvancedSetup]

Good day @hawkactual

As you're probably aware. You're correct, the logs do not indicate any obvious infections. There is no known malware that can survive when the partitions are removed for a clean install of Windows.

There are a few BIOS/UEFI bootkits and rootkits but most need physical access to your computer.

I see you have a recent BIOS update. I would re-flash the BIOS with either a newer version or if possible drop back to an older BIOS and then flash back to a new one. There is no known BIOS/UEFI that would be able to survive that as well.

Then after the flash go ahead and do a new CLEAN install of Windows by once again a clean USB Windows installer on USB stick.

Delete all partitions of the drive and allow Windows to create the partition and install Windows.

 

The following will help to keep Windows clean

 

 

The following information will help you to keep your computer and data safer as well as improve your overall privacy

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/780233/best-password-manager/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

 

[hawkactual]

Thank you for the reply

Unfortunately im 100% sure its not a UEFI rootkit since i swapped the drive from my laptop (where initial infection took place) to my PC and the symptoms literally swapped with it (Completely different UEFI as well), is there anything else i can do to save the SSD before i swap it to a completely new one? Any tools i can use to nuke it again, or is it getting the hammer treatment?

[AdvancedSetup]

If there was an issue and you switched the drive to a completely different motherboard architecture and Windows was able to correct and still boot that's an amazing testament to Microsoft and your luck. Many systems might boot but would be utter garbage at this point in my opinion.

Switching to another computer would also not be indicative of how one would test. If a UEFI rookit had damaged or attacked the operating system it would simply be there on the drive and move over to the new computer.

I am in agreement that of nearly a billion computers out there and only a handful of computers found in the wild with UEFI rootkits in the actual firmware would be extremely unlikely.

My guess is that some common software, extension, website, browser setting, etc. is the actual culprit. At the time you are actually experiencing said issue then use tools like the following to help you track down the issue.

 

Sysmon, Process Explorer, Process Monitor, System Informer

 

 

[hawkactual]

Thank you for the reply

I will do as you said, next time i will use the tools you listed and will attempt to capture video evidence as well with obs

please keep in mind when i said i swapped the drives from one computer to the other ,i actually zeroed it first and then swapped, but i didnt matter since the symptoms followed with it

either way thank you for everything and what you do for the community

[AdvancedSetup]

6 minutes ago, hawkactual said:

but i didnt matter since the symptoms followed with it

Again, I'm am certain that it is some common software, extension, website, browser setting, etc.  You need to use the tools to track it down. Screenshots are rarely helpful except in rare cases to perhaps show you're on the same page with someone else on running tools or settings.

Logs are what is needed and those type of tools can help do that

Since you're using Windows Pro version you can also enable auditing to help track down issues

 

[AdvancedSetup]

Closing this topic as it's been resolved.