Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Where do I start! I have tried and tried :*( 1BTC Reward


  • Please log in to reply
5 replies to this topic

#1 CompletelyScrewed

CompletelyScrewed

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 23 October 2014 - 04:42 AM

Hi Bleeping Computer

 

I have resorted to asking for help with regards to what I believe may be a rootkit possibly even (excuse this as I only mention in complete ignorance but matches what seem to be the array of problems I am receiving.) Hypervisor malware.

 

I fear that my motherboards firmware has been compromised.

 

To just confirm I have resorted to low level formats on all my drives and ROG's Secure Erase for my SSD's and still this malware laughs in my face. Also my router is continuingly getting compromised. I have reflashed firmware and rebought 3 routers. All of them get hacked within 20 seconds from what my limited networking knowledge shows me.

 

Now I have restored my homebuilt pc no less than 20 times now and each time I see more and more indicators of the malware possibly a small part paranoia and microsofts and other companies very misleading and suspiciously named services and programs.

 

What I believe has confirmed this for me is during the win 8 installation process.

 

When choosing custom install and at the bottom there is the load drivers option. Now when I click this keep in mind I have a £5 basic keyboard and no mouse (precautionary measure with my gaming hardware all containing memory) and every single hdd physically disconnected, it is showing a second X: drive on top of the installation CD. Now when I expand this drive it contains a lot of suspect folders even more so with the folders having names and data that could not possibly be there on the installation CD and a large WOWsys64. I have tried using DISK PART to format, delete, forcibly corrupt and /force on it all however I cannot access it as it is write protected.

 

Now I believe I am then being opened up and obliterated with windows power shell and my comp is being converted into a VM. I Have made every attempt to try and combat this and before I know it everything is reverted back.

 

I am also constantly getting virtualapp/didlogical added in the generic credentials even following deletion its back in minutes.

 

On top of that the computer is getting a plethora of tasks added to task scheduler

 

The certificate security system is completely useless and no matter how many sec enforcements I enable in mmc policies my comp will not rid the pc of invalid, revoked or altered certificates. I have tried adding my own security cert however I am locked out from doing this also.

 

MSE is unable to start I also use Symantec endpoint business protection and also Malwarebytes Premium and their realtime premium exploit protection. When trying to install malwarebytes it fails completely. Including all chameleon installers.

 

My Symantec history logs are a joke because as soon as it detects intrusions its immediately followed by created rules and generated access. I have constantly an army of duplicate and hidden network adapters that will immediately reappear on next logon following removal even through the sys reg route.

 

sfc /scannow cannot fix corruptions.

 

I believe all my accounts are compromised even following multiple pw changes. I also adopt the phone authenticator for these accounts but no use as the moment I attach a device to my network it gets hacked. I am guessing that there is malware that can possibly allow access to the authenticator.

 

This is but a tiny fraction of the problems I have encountered but the best part is I have a website recently started that was going to be my parent company site for my business which is allinonespot.com to help with networking and to see statistics I use a service called brandyourself.com which logs all instances of site visits. Whats funny in a hopelessly sad way is that I suddenly started receiving huge amounts of activity from Beijing and Russia even more peculiar is some of the results state that my profile was visited following a link or profile supposedly on baidu.com? Also many from Russia and also strangely unkown which is not how brandyourselfs results are displayed.

 

I have found questionable logs when forcing permission changes on hidden folders(permission is reverted back instantly on next log in) which contains very sensitive info and facebook info including something about this URL? I think needs to be protected as it gives same access as username and password. I have also had numerous facebook logins without that person needing or having to use facebooks authetnticator.

 

My maintenance account is always converted to a standard profile and none of them will convert to a roaming profile.

 

Furthermore my critical downloads I believe are being compromised when downloading as when using browser development tools allot of my downloads and site visits are either redirected or my downloads diverted to an alternate source

 

The ip address that I get is 10.61.106.36 which wont show up on any ip checker site I try.

 

I am in desperate need of help all 3 of my home comps are infected and all devices and I just don't know what to do with regards to protecting my router.

 

Another alarming issue is with a device I use for BTC security known as trezor, Now when visiting their site I have been getting some very strange JavaScript errors one of which was a mix of letters and numbers with the .js filetype. Now when searching this js not only did google only turn up 2 or 3 results when clicking on the link there was a huge script posted on a script hosting site which shows the stats of people viewing and date posted etc. At the time of checking the script was 5 days old and 167 people had viewed it and the script contained my public keys and some comp info. Is this something also to be alarmed about?

 

Any help with this and I will reward or "donate" 1 BTC to the site. I have also included a screenshot of some of the brandyourself results that coincided with my comp being compromised.

 

Attached Files



BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:33 PM

Posted 23 October 2014 - 10:14 AM

Are you operating more than one antivirus?


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 CompletelyScrewed

CompletelyScrewed
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 23 October 2014 - 03:44 PM

Hi I really appreciate the response. I have never operated 2 simultaneously however I have changed from Norton 360 to the endpoint protection and on one instance I used Norton cleaner followed by power eraser but the rest of the time I changed it only on a fresh install. The last help Symantec game me was :

 

 

Wednesday, August 13, 2014 1:41:18 AMLifesaver :) Works a treat now

Created by: Wednesday, August 13, 2014 12:43:51 AMHello,
 
Thank you for contacting Symantec Cloud Support.

The logs indicate the install is hanging on another AV product. This could be a previous cloud install, a different version of Symantec, or another AV product.

Please run the Symantec Cloud Removal tools and then try again:

NOTE - Cloud Extractor will Corrupt the Cloud version of Backup Exec
NOTE - Norton Removal Tool will delete all Norton Products
NOTE - CleanWipe needs to be run locally or on a console 0 session
 
You will need to download the removal tools from here:
 
https://fileshare.symantec.com
Login:
Password: 
 
NOTE: Please save all the tools to your system and unzip them before running.
 
Steps for Reinstall:
 
Running the removal tools on a workstation
============================================
-Please uninstall Symantec.Cloud or other Anti-Virus from your control panel under Add/Remove Programs or Programs and Features.
-Delete the computer from your portal at https://hostedendpoint.spn.com so you don't end up with duplicates
-Run the Norton Removal Tool
-Run the Symantec Cloud Removal Extractor
-Reboot
-Reinstall Symantec.Cloud with a new installation package created by your portal at https://hostedendpoint.spn.com


If you had a different AV install you can view the website below and try to find their removal tool:

http://kb.eset.com/esetkb/index?page=content&id=SOLN146&locale=en_US
 
 
Thanks,
 
Michael Lutz, Symantec Certified Specialist
Technical Support Engineer
 
www.symanteccloud.com
24x7 Global Client Support Center
US/Canada: 1-866-807-6047
EMEA: +44-0-870-850-3014
Australia: 1-800-088099 Wednesday, August 13, 2014 12:23:39 AMHi here are my logs instant failure again :(

Created by: _ _ _ _ _ _ _

Tuesday, August 12, 2014 11:53:36 PMHello,
 
Thank you for contacting Symantec Cloud Support.

I see the install starting to slow down quite a bit. Please create a redistributable package and use that to install. It should reduce the overall resource strain while installing.

Creating a redistributable package

- Log into your portal
- Computer tab
- Add Computers
- Select Endpoint Protection
- Click the Redistributable package option
- Save the package creator
- Run the package creator
-A Symredistributable.exe will be created on the desktop use this to install

If you still have issues, please gather the logs from the location below and attach them to a reply email.

• %Programdata%\NortonInstaller\Logs\*all contents*

• %Programdata%\Symantec.Cloud\syminstall\*all contents*

 
Thanks,
 
Michael Lutz, Symantec Certified Specialist
Technical Support Engineer
 
www.symanteccloud.com
24x7 Global Client Support Center
US/Canada: 1-866-807-6047
EMEA: +44-0-870-850-3014
Australia: 1-800-088099

 

However this is unrelated and predates my major infection.

 

Also I would like to say that as long as its allowed the donation is for anyone that can help.

 

So if we ignore the solution for a sec I will still be extremely grateful just for a diagnosis :)

 

regards

 



#4 CompletelyScrewed

CompletelyScrewed
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 24 October 2014 - 04:10 AM

So I just wanted to say that I am still desperate for any help. If there is anything I can do or need to do before I can receive expert help please tell me and I will endeavour to meet the criteria/needs etc. Even though the solution is the obvious goal even a confirmation and diagnosis of what is happening and how it most likely happened would also be appreciated. I have read many posts on here where the experts go above and beyond to fix peoples computers and I am amazed at their very thorough analysis followed by fool proof  super detailed step by step guides. If someone could even point me in the right direction it would get my journey underway at least so that I can have a secure and clean home network. I am not beyond replacing everything for brand new but I am worried that it will happen again with me having router after router compromised very quickly and even after changing ISPs might I add. Anyhow ty for once again humouring me by reading. Just a approximate guess from an intermediate or beginner user that possibly has any idea would help as it would at least give me something to research through google.

 

Regards



#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:33 PM

Posted 24 October 2014 - 10:17 AM

Please download and install Speccy to provide us with information about your computer.  When  FileHippo opens, click on Download latest version in the upper right pane.
 
When Speccy opens you will see a screen similar to the one below.
 
speccy9_zps2d9cdedc.png
 
Click on File which is outlined in red in the screen above, and then click on Publish Snapshot.
 
The following screen will appear, click on Yes.
 
speccy7_zpsfa02105f.png
 
The following screen will appear, click on Copy to Clipboard.
 
speccy3_zps1791b093.png
 
In your next post right click inside the Reply to Topic box, then click on Paste.  This will load a link to the Speccy log.
 
 

Please download MiniToolBox, save it to your desktop and run it.
 
Checkmark the following checkboxes:
 
• List last 10 Event Viewer log
• List Installed Programs
• List Users, Partitions and Memory size.
• List Minidump Files
 
Click on Go to start the scan.  Once it is finished highlight the text, copy it and paste it in your next post.
 
 

 
Double click on the download and choose to run the program.
 
A screen similar to the one below will open, click any key to run the program.
 
securitycheck_zpscfb86945.png
 
When the scan is finished there will be a log, copy and then paste your log in your next post.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 Kilroy

Kilroy

  • BC Advisor
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:33 AM

Posted 14 November 2016 - 03:28 PM

Suggestions.

 

For the router have you changed the administrative password from its default?  Have you turned off remote administration of the router?  Either of those could be possible vectors into your network.  Unlikely, but possible.

 

The X: drive during the Windows install is a RAM drive created by the Windows installer and is normal.

 

You need to limit your anti-virus software, in this case more is not better.

 

Since you are behind a router it is very unlikely that you are being infected as soon as you install Windows.  If you are concerned make sure that all of the other computers are off until you have your anti-virus software installed.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users